We are anonymous, we are legion

Responsible Data Forum: Discussion on the Risks and Mitigations of releasing Data

vanya — 2015-09-06T14:29:14Z

The Responsible Data Forum initiated a discussion on 26^th August 2015 to discuss the risks and mitigations of releasing data.

The discussion was regarding the question of adoption of adequate measures to mitigate risks to people and communities when some data is prepared to be released or for sharing purposes.

The following concerns entailed the discussion:

What is risk- risks in releasing development data and PII
What kinds of risks are there
Risk to whom?
Risks in dealing with PII, discussed by way of several examples
What is missing from the world

The first thing to be done is that if a dataset is made, then you have the responsibility that no harm is caused to the people who are connected to the dataset and a balance must be created between good use of the data on one hand and protecting data subjects, sources and managers on the other.

To answer what is risk, it was defined to be the “probability of something happening multiplied by the resulting cost or benefit if it does” (Oxford English Dictionary). So it is based on cost/benefit, probability, and a subject. For probability, all possible risks must be considered and work in terms of how much harm would happen and how likely that is about to happen. These issues must be considered necessarily.

An example in this context was that of the Syrian government where the bakeries were targeted as the bombers knew where the bakeries are, making them easy targets. It was discussed how in this backdrop of secure data release mechanism, local context is an important issue.

Another example of bad practice was the leak of information in the Ashley Madison case wherein several people have committed suicide.

Kinds of risk:

physical harm:

The next point of discussion was regarding kinds of the physical risks to data subjects when there is release/sharing of data related to them. Some of them were:

i. security issues
ii. hate speech
iii. voter issues
iv. police action

Hence PII goes both ways- where some choose to run the risk of PII being identified; on the other hand some run the risk of being identified as the releaser of information.

Legal harms- to explain what can be legal harms posed in releasing or sharing data, an example was discussed of an image marking exercise of a military camp wherein people joined in, marked military equipment and discovered people who are from that country.
Reputational harm as an organization primarily.
Privacy breach- which can lead to all sorts of harms.

Risk to whom?

Data subjects – this includes:

i. Data collectors
ii. Data processing team
iii. Person releasing the data
iv. Person using the data

Also, the likely hood of risk ranges from low, medium and high. We as a community are at a risk at worse.

PII:

- Any data which can be used to identify any specific individual. Such information does not only include names, addresses or phone numbers but could also be data sets that don’t in themselves identify an individual.

For example, in some places sharing of social security number is required for HIV+ status check-up; hence, one needs to be aware of the environment of data sets that go into it. In another situation where there is a small population and there is a need to identify people of a street, village or town for the purpose of religion, then even this data set can put them to risk.

Hence, awareness with respect to the demographics is important to ascertain how many people reside in that place, be aware of the environment and accordingly decide what data set must be made.

- Another way to mitigate risks at the time of release/sharing of data is partial release only to some groups, like for the purpose of academics or to data subjects.

- Different examples were discussed to identify how release of data irresponsibly has affected the data subjects and there is a need to work to mitigate harms caused in such cases.

Example- in the New York City taxi case data about every taxi ride was released-including pickup and drop locations, times, fares. Here it becomes more problematic if someone is visiting strip clubs, then re-identification takes place and this necessitates protection of people against such insinuation.

This shows how data sets can lead to re-identification, even when it is not required. Hence, the involved actors must understand the responsibilities when engaging in data collection or release and accordingly mitigate the risks so associated.

- A concern was raised over collection and processing of the information of genetic diseases of a small population since practically it is not possible to guarantee that the information of data subjects to whom the data relates will not be released or exposed or it won’t be re-identifiable. Though best efforts would be made by experts, however, realistically, it is not possible to guarantee people that they will not be identified. So the question of informing people of such risks is highly crucial. It is suggested that one way of mitigating risks is involving the people and letting them know. Awareness regarding potential impact by breach of data or identification is very important.

- Another factor for consideration is the context in which the information was collected. The context for collection of data seems to change over a period of time. For example, many human rights funders want information on their websites changed or removed in the backdrop of changing contexts, circumstances and situation. In this case also, the collection and release of data and the risks associated become important due to changing contexts.

What is missing from the world?

Though recognition of risks has been done and is an ongoing process, what is missing from the world are uniform guidelines, rules or law. There are no policies for informed consent or for any means to mitigate risks collectively in a uniform manner. There must be adoption of principles of necessity, proportionality and informed consent.

For more details visit https://cis-india.org/internet-governance/blog/responsible-data-forum

Responsible AI Workshop

Admin — 2019-09-20T14:50:47Z

Sunil Abraham participated in this meeting organized by Facebook on September 17, 2019 in New Delhi.

Click to view the agenda

For more details visit https://cis-india.org/internet-governance/news/responsible-ai-workshop

Responses to Trai’s consultation paper on free data contain some good suggestions

praskrishna — 2016-08-17T03:05:57Z

Trai has announced that it will come up with a final consultation paper on ‘Free Data’, and also a pre-consultation paper on Net Neutrality by the end of this month.

The blog post by Asheeta Regidi was published by FirstPost's Tech 2 on August 15, 2016.

The pre-consultation paper on Free Data (the Consultation Paper), which was issued in May 2016, asked for options where free data could be provided for accessing certain websites or apps without violating the Discriminatory Tariff Regulations issued earlier in February. The objective of the paper is to maximise internet penetration, and make internet available even to the poorest.

The models suggested in the Consultation Paper are a reward of free data for certain internet uses, zero data charges for accessing certain content, and refunding data charges in a manner similar to refund of LPG subsidies. These models are very similar to plans like Facebook’s Free Basics and Airtel Zero, which were banned by the Discriminatory Tariff Regulations.

While it is clear that Trai has no intention of withdrawing the Discriminatory Tariff Regulations, the Consultation Paper does appear to open up the doors to net neutrality violations again. Here’s a look at the comments and counter-comments that have come in response to this paper.

A motorist rides past a hoarding advertising Facebook’s Free Basics. Image: Reuters

Large TSPs and TSP associations want content-based free data schemes
The response of large TSPs like Vodafone, Idea and so on are quite predictable. They, alongwith most of the TSP associations such as ACTO, COAI and AUSPI, are in support of the idea of free access to certain sites. They, in fact, point out the similarities between the proposed models and the similar models brought out by them, such as Airtel’s One Touch Internet and Reliance’s Facebook Tap. They have also asked for a withdrawal of the Discriminatory Tariff Regulations, on the grounds that they hamper the innovation and forbearance capabilities of the TSPs.

They do, however, take issue with the fact that a TSP agnostic platform, or a platform which is completely independent of the TSPs, is to be given the power to decide how the lower prices or discounts are to be provided. They allege that there is nothing to prevent such a platform from acting as a gatekeeper in itself. They argue that TSPs are in a better position to perform this function, since they are subject to strict regulatory and licensing requirements from Trai.

Employees at an outsourcing centre in Bengaluru Image: Reuters

Smaller TSPs and other companies fear net neutrality violations
Smaller TSPs like Atria, Citicom and MTS are against content based free data proposal, mostly on the grounds that the models suggested violate net neutrality. They point out that allowing content based free data in any form will give an unfair advantage to large TSPs and content providers. Smaller companies and start-ups will be left in the lurch since they will not have the financial capabilities to effectively compete with such schemes. These entities also share the fear of the TSPs that there is nothing to stop a TSP agnostic platform from also acting as a gatekeeper.

Commuters with their smartphones in a Mumbai local. Image: Reuters

Some alternative suggestions for free data schemes which do not violate net neutrality
The approach suggested by Trai will, to a large extent, only benefit existing users of the internet, since a basic internet access of some sort is required before the users can enjoy the benefits of a rewards or a refund. Software Freedom Law Centre (SFLC), in its comments, points to research that found that only 12 percent of the users of zero rating services abroad (no data charges for certain websites), started using it because of the zero rating. Clearly, these schemes are not achieving the objective of increasing internet usage, and an alternative solution is required.

Many of the responses came up with alternative suggestions for free data schemes which can increase internet usage without violating net neutrality. Some of these suggestions are listed below:

The Digital Empowerment Foundation suggests the provision of free data quotas or packs, which would give a limited amount of data free of charge to all consumers. Any data usage above the basic pack will be charged at normal rates. It also suggests making such packs mandatory as a part of the TSP licensing terms or alternatively subsidising the cost of these packs through other benefits to the TSPs.
MTS suggests that content providers be allowed free internet access for a limited time or quantity, such as 30 minutes per day, or 100MB per day, to certain groups, like low income groups.
Mozilla and SFLC suggest the ‘equal rating’ system, where a small amount of data per day is made available free of charge to all internet users, over and above whatever other packs they may have purchased.
The Centre for Internet and Society suggests that the government allow TSPs to provide free internet to all, at a lower speed, and in return exempt the TSPs from the USO contributions in their license fees. This will ensure free data to all without differentiating based on content.
SFLC also suggests an increase in free public Wi-Fi hotspots, like the kind being made available in Indian railway stations, to increase internet accessibility without content-based discrimination.
MTNL suggests that if content-based free data is to be allowed, the government should determine what constitutes the basic services to be allowed for free, such as railway booking services, and not leave this to the understanding of the TSPs.
MTS also suggests that content providers be allowed to give data-based rewards for certain activity, such as watching associated advertisements.
Atria suggests that if free data is to be allowed, first establish a negative list of what cannot be done, such as no throttling of speeds.

Anonymous protests against Internet laws in Mumbai. Image: Reuters

First establish ground rules of net neturality
One common aspect of most of the comments to the Consultation Paper was the confusion regarding Trai’s stance on net neutrality. Many entities, including the large TSPs, pointed out the contradiction between this Consultation Paper and the Discriminatory Tariff Regulations.

This paper gives the impression that the Discriminatory Tariff Regulations were issued not to prevent content based discrimination, but to prevent telecom service providers from becoming ‘gatekeepers’. In reality, that is not the main fear of the people, but the fear that net neutrality will be affected. The culprits might be anyone, whether it is the TSP, the content provider or the TSP agnostic platform suggested by Trai. It needs to modify its approach, and first lay down the fundamental rules on net neutrality. Any other regulations must first comply with these rules.

While the motives of Trai are laudible, it is hoped that Trai will look into the several suggestions made that will achieve the dual targets of maximum internet penetration as well as securing net neutrality.

For more details visit https://cis-india.org/internet-governance/news/first-post-tech-2-august-15-2016-asheeta-regidi-responses-to-trai-consultation-paper-on-free-data-contain-some-good-suggestions

Response to the Pegasus Questionnaire issued by the SC Technical Committee

Anamika Kundu, Digvijay, Arindrajit Basu, Shweta Mohandas and Pallavi Bedi — 2022-04-13T14:45:41Z

On March 25, 2022, the Supreme Court appointed Technical Committee constituted to examine the allegations of alleged unauthorised surveillance using the Pegasus software released a questionnaire seeking responses and comments from the general public.

The questionnaire had 11 questions and the responses had to be submitted through an online form- which was available here. The last date for submitting the response was March 31, 2022. CIS had submitted the following responses to the questions in the questionnaire. Access the Response to the Questionnaire

For more details visit https://cis-india.org/internet-governance/blog/response-to-pegasus-questionnaire-issued-by-sc-technical-committee

Response to the Draft of The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018

Gurshabad Grover, Elonnai Hickok, Arindrajit Basu, Akriti — 2019-02-07T08:06:41Z

In this response, we aim to examine whether the draft rules meet tests of constitutionality and whether they are consistent with the parent Act. We also examine potential harms that may arise from the Rules as they are currently framed and make recommendations to the draft rules that we hope will help the Government meet its objectives while remaining situated within the constitutional ambit.

This document presents the Centre for Internet & Society (CIS) response to the Ministry of Electronics and Information Technology’s invitation to comment and suggest changes to the draft of The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018 (hereinafter referred to as the “draft rules”) published on December 24, 2018. CIS is grateful for the opportunity to put forth its views and comments. This response was sent on the January 31, 2019.

In this response, we aim to examine whether the draft rules meet tests of constitutionality and whether they are consistent with the parent Act. We also examine potential harms that may arise from the Rules as they are currently framed and make recommendations to the draft rules that we hope will help the Government meet its objectives while remaining situated within the constitutional ambit.

The response can be accessed here.

For more details visit https://cis-india.org/internet-governance/blog/response-to-the-draft-of-the-information-technology-intermediary-guidelines-amendment-rules-2018

Response to RTI on Decisions of the Cyber Regulation Advisory Committee

pranesh — 2013-01-09T15:26:26Z

The Department of Electronics & Information Technology, Ministry of Communications & Information Technology responded to a right to information (RTI) application filed by Saket Bisani on behalf of the Centre for Internet & Society on July 13, 2012 through notification No. 14(110)/2012-ESD, dated October 3, 2010.

No. 14(110)/2012-ESD
M/o Communiciations & Information Technology
Department of Electronics & Information Technology
Electronics Niketan, 6, CGO Complex
New Delhi-110003

Dated:3.10.2012

Subject: RTI application received from Shri Saket Biswani

With reference to your RTI application dated 13.7.12 requesting for the following information.

Question

a) Please provide me a list of the dates of each meeting of the CRAC held from October 18, 2000 till July 13, 2012?

b) Please provide me copies of the minutes of every meeting held by the Cyber Regulation Advisory Committee from October 18, 2000 till July 13, 2012.

c) Provide me the list of all policy decisions that the CRAC has advised the Central Government on under section 88(3) (a) of the Information Technology.

d) Provide me a list of all policy decisions that the CRAC has advised the Central Government on under section 88(3)(a) of the Information Technology Act, 2000.

The information as received from the custodian of the information is placed below:

Answer

a) The meetings of CRAC were held on 6^th March, 2001 and 17-18 March, 2001.

b) Minutes of these two meetings of CRAC are attached.

c) No such advice was given by CRAC to DeitY under section 88(3)(a).

d) Information is attached.

(A.K. Kaushik)
Additional Director & CPIO
(E-Security & Cyber Laws)

To: Shri Saket Bisani
No. 194, 2^nd 'C' Cross,
Domlur 2^nd Stage
Bangalore-560 071

Minutes of the First Meeting of the Cyber Regulation Advisory Committee (CRAC) held on March 6, 2001, at Electronics Niketan, under the Chairmanship of Hon’ble Minister* (IT) Shri Pramod Mahajan.

(List of Participants enclosed as Annexure-A)

The chairman welcomed the participants to the First Meeting of the Committee. In his opening remarks he hoped that the Committee would play a constructive role in the implementation of the Information Technology Act.
While introducing the Agenda (circulated ahead of the meeting), Controller of Certifying Authorities (CCA) made a short presentation on proposed "Regulation.; under section 89 of the IT Act" consisting of 18 proposed Regulations, Smart Card as token carrying Keys, and various suggested Amendments to the IT ACT 2000.
During the ensuing discussions, participants sought some time to study and collate associated inputs from their respective colleagues/specialists before offering any concrete suggestions/recommendations. Chairman agreed to the suggestions and postponed the meeting to 11:00 AM on the March 17, 2001 at the same venue. Based on the recommendation of Secretary (IT), members were requested to forward their inputs, if any, through e-mail within a weeks time to the following:

For Regulations wider section 89 of IT Act	For amendments to IT Act 2000
Shri K.N. Gupta (CCA) Room No. 4006, Electronics Niketan 6 CGO Complex New Delhi 110003 e-mail:kgupta@mit.gov.in Tele: 436 3073 Fax: 439 5982	Shri A.B. Saha (Member Secretary) Room No. 2055, Electronics Niketan 6 CGO Complex New Delhi 110003 e-mail:saha@mit.gov.in Tele: 436 0958 Fax: 436 2924

Meeting ended with a vote of thanks to the Chair.

Minutes of the Second Meeting of the Cyber Regulation Advisory Committee (CRAC) held on 17-18 March, 2001 at Electronics Niketan, New Delhi under the Chairmanship of Hon'ble Minister (IT), Shri Pramod Mahajan.

(List of Participants enclosed as Annexure-A)

The chairman welcomed the participants to the second meeting of the Committee to consider further the draft regulations proposed by the Controller of Certifying Authority (CCA). ' " ~
During the ensuing discussions, following general recommendations/decisions were arrived at governing the overall formulation of the regulations that are necessary to bring about infrastructure facilitating activities envisaged under the IT Act 2000:

a) Any regulation to be framed by the Controller draws its authority only from Section 89(2) of the Act. Moreover, such regulations should complement the Rules already framed under the Section 87 of the Act.

b) To keep pace with the changing technology and standards, CCA may publicly notify/modify necessary specifications of technology, standards and procedures at regular interval (say, January of every year). Moreover, to adhere to the "principles of minimal governance", if any particular necessity emerges for inclusion of newer manifestations of any existing standard/technology/procedure, Controller should respond within ninety (90) days after receiving any specific request in writing, failing which it will deemed to have obtained his concurrence.

c) The commercial practices/interests may form the essential pedestal for the certification process. Aspects of cross-certification may preferably be left to the purview of the concerned market forces. However, the necessary interoperability will essentially be "market-driven" and not "authority-driven". This will also ensure that formulated rules and regulations stay in tune with market realities.

d) Strict adherence to open standards should be ensured to avoid emergence of monopoly of any kind.

e) Considering cost sensitiveness of the requisite digital signature certificate, families of technologies varying in convenience, reliability, availability, robustness, etc. may be allowed to inter-operate. However, CCA may undertake public awareness campaign to promote desirable best practices from time to time.

f) The minimal regulations facilitating activities envisaged in the Act is desirable. Some of the proposed provisions can also be ensured in the form of "terms & conditions" governing the operations of Certifying Authorities.

g) Emergence of guidelines governing smooth functioning may be better left to publications brought out by industry associations, public-minded professionals etc. Formulating rules and regulations in these regards should be minimal.

3. After framing the draft compilation of the requisite regulations in accordance with the conventional legal form in terms of content as well as structure with the assistance of the Ministry of Law, the regulations may be brought to the Ministry of Information Technology for approval.

4 The Committee considered the 18 regulations proposed in Agenda Item No.1 and the statement reproduced below contains the decision taken against each proposal.

SI	Item	Conclusions
1	Regulation 1 Standardising on two key-pairs for PKI in the country. Key-pair generation for subscribers by CAs.	Regulation not required. Encryption Key pair not part of the IT Act. Already covered under Rule 3, 4 & 5 of notified CA Rules. Subscriber should be at liberty to bring his key pair that CA may verify before acceptance. (Section 40 of the Act)
2	Regulation 2 Encryption key-pair of subscribers to be maintained by CAs in a database and made available to enforcement and law agencies under directions of the Controller.	Regulation not required. IT Act is silent regarding encryption.
3	Regulation 3 Disclosure Record of CA.	Disclosure may be done every six months. Necessary format for disclosure may be notified from time to time. (Para 2(f) above)
4	Regulation 4 Encryption Key Pair of CA to be made available to the Controller.	Regulation not required in accordance to conclusions against 1 & 2 above.
5	Regulation 5 Cross-Certification with foreign CAs.	As per recommendation 2(c) above.
6	Regulation 6 Terms and Conditions subject to which license shall be issued by the Controller to the prospective CAs.	Can be merged with regulation 11. As per the recommendation mentioned in 2(c) above.
7	Regulation 7 Standards that may be considered for different activities associated with the CAs functions including standardization of contents of the Certificates to be issued by CAs and standardization of the Certificate Revocation List.	As per the recommendation 2(b) above.
8	Regulation 8 Information to be made publicly available by a CA on its website. Notice of suspension or revocation of license.	CA must harness all form of networks and other practical media, and not only Internet, for disclosure to its subscriber and other interested parties.
9	Regulation 9 Standardisation of Certificate Practice Statement.	Agreed.
10	Regulation 10 Compromise of subscribers Digital Signature Key-Pair	Agreed.
11	Regulation 11 Description of classes of Certificates.	Shall be merged with regulation 6 above. In addition to 3 classes of certificates as identified by international bodies, the regulation should be open to additional classes of certificates, if required.
12	Regulation 12 Cross-Certification of CAs.	It should be market-driven. (Recommendation 2(c) above).
13	Regulation 13 Incorporation of Controllers Public Key Certificate as the "root” in all web browsers in the country.	Regulation not required. Need for integrating Controller's root key in the browsers may not be feasible.
14	Regulation 14 Minimum key length for CAs and subscribers.	Agreed for the provision of 1024 bits for subscriber/end-user and 2048 bits for CAs key pair.
15	Regulation 15 Audit of applicants to include manpower audit as well. Liability of CAs towards subscribers on account of their negligence.	Regulation not required. Audit provision has already been covered under Rule 31 of CA rules notified by MIT.
16	Regulation 16 Storage of Key-Pairs of CAs. Distribution of Key-Pairs / Certificates of subscribers by CAs.	Not to be regulated. Recommendation 2(e) above shall be followed.
17	Regulation 17 Documents to be submitted to the Controller along with the application for obtaining license to operate as CA.	Already covered under rule 10 of CA rules notified by MIT. Any additional information can be sought through the recourse of public notices from time to time.
18	Regulation 18 Upon acceptance of PKC by a subscriber, the PKC shall be published by the CA as required under the IT Act for access by the subscribers and relying parties. The CA will ensure the transmission of PKC and CRLs to the National Repository to be maintained by the Controller.	Agreed.

Meeting ended with a vote of thanks to the Chair.

Annexure - A

First sitting of the second meeting of the “Cyber Regulation Advisory Committee” held on 17th March 2001 to consider adjourned agenda of the first meeting held on 6ft March 2001

List of Participants

Sh Pramod Mahajan, Minister, Information Technology - Chairman
Sh.S.C Jain , Secretary, Legislative Department
Sh Vinay Kohli, Secretary, Ministry of Information Technology
Sh. N. Parameswaran, DDG(LR), Department of Telecommunications
Dr. Jaimini Bhagwati, Ministry of Finance
Maj.Gen. M. G. Datar, Addl.D.G, IT, Army HQ, Ministry of Defence
Sh Mukesh Mittal, Dy Secy, Ministry of Home Affairs
Sh T A Khan, Sr. Dir, NIC, Ministry of Commerce
Sh. K.R Ganapathy,CGM-IC,RBI

10. Sh.S.R-Mittal,Adviser,DIT, Reserve Bank of India

11. Sh Dewang Mehta, President, NASSCOM

12. Sh Amitabh Singhal, President, Internet Service Providers Association

13. Sh LN Behra, DIG, Director, Central Bureau of Investigation

14. Sh K N Gupta, Controller of Certifying Authority

15. Sh. Qamar Ahmed. Addl.C.P/Crime, DG Police by rotation from the States

16. Prof. R S Sirohi. I1T Delhi, Director, IIT Delhi

17. Sh.Sanjay Dhawan, ExecDirector,KPMG, Representing CII

18. Sh. M.A.J.Jeyaseelan, Secretary, FICCI

19. Sh. Subimal Bhattacharjee, Vice President ARGUS, Representing ASSOCHAM

20. Sh A B Saha, Senior Director, Ministry of IT - Member Convener

First sitting of the second meeting of the “Cyber Regulation Advisory Committee” held on 18th March 2001 to consider adjourned agenda of the first meeting held on 6ft March 2001

List of Participants

Sh Pramod Mahajan, Minister, Information Technology - Chairman
Sh.N.L. Meenu, Jt. Secretary, Legislative Department
Sh Vinay Kohli, Secretary, Ministry of Information Technology
Sh. N. Parameswaran, DDG(LR), Department of Telecommunications
Dr. Jaimoni Bhagwati, Ministry of Finance
Maj.Gen. M G Datar, Ministry of Defence
Sh Mukesh Mittal, Dy Secy, Ministry of Home Affairs
Sh T A Khan, Sr. Dir, NIC, Ministry of Commerce
Sh. K.R Ganapathy,CGM-IC,RBI

10. Sh Dewang Mehta, President, NASSCOM

11. Sh Amitabh Singhal, President, Internet Service Providers Association

12. Sh LN Behra, DIG, Director, Central Bureau of Investigation

13. Sh K N Gupta, Controller of Certifying Authority

14. Sh. Dinesh Bhatt, Dy. Police Commissioner, Delhi

15. Prof. R S Sirohi. I1T Delhi, Director, IIT Delhi

16. Sh.Sanjay Dhawan, ExecDirector,KPMG, Representing CII

17. Sh. M.A.J.Jeyaseelan, Secretary, FICCI

18. Sh. Subimal Bhattacharjee, Vice President ARGUS, Representing ASSOCHAM

19. Sh A B Saha, Senior Director, Ministry of IT - Member Convener

For more details visit https://cis-india.org/internet-governance/resources/deity-response-to-rti-on-decisions-of-crac

Response to GCSC on Request for Consultation: Norm Package Singapore

Arindrajit Basu, Gurshabad Grover and Elonnai Hickok — 2019-01-27T15:43:12Z

The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms.

The Global Commission on the Stability of Cyberspace, a multi-stakeholder initiative comprised of eminent individuals across the globe that seeks to promote awareness and understanding among the various cyberspace communities working on issues related to international cyber security. CIS is honoured to have contributed research to this initiative previously and commends the GCSC for the work done so far.

The GCSC announced the release of its new Norm Package on Thursday November 8, 2018 that featured six norms that sought to promote the stability of cyberspace.This was done with the hope that they may be adopted by public and private actors in a bid to improve the international security architecture of cyberspace

The norms introduced by the GCSC focus on the following areas:

Norm to Avoid Tampering
Norm Against Commandeering of ICT Devices into Botnets
Norm for States to Create a Vulnerability Equities Process
Norm to Reduce and Mitigate Significant Vulnerabilities
Norm on Basic Cyber Hygiene as Foundational Defense
Norm Against Offensive Cyber Operations by Non-State Actors

The GCSC opened a public comment procedure to solicit comments and obtain additional feedback. CIS responded to the public call-offering comments on all six norms and proposing two further norms. We sincerely hope that the Commission may find the feedback useful in their upcoming deliberations.

Read the full submission here

For more details visit https://cis-india.org/internet-governance/blog/arindrajit-basu-gurshabad-grover-elonnai-hickok-january-22-2019-response-to-gcsc-on-request-for-consultation

Response by the Centre for Internet and Society to the Draft Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department’s National Telecommunications and Information Administration

pranesh — 2015-11-29T06:35:12Z

This proposal was made to the Global Multistakeholder Community on August 9, 2015. The proposal was drafted by Pranesh Prakash and Jyoti Panday. The research assistance was provided by Padmini Baruah, Vidushi Marda, and inputs from Sunil Abraham.

For more than a year now, the customers and operational communities performing key internet functions related to domain names, numbers and protocols have been negotiating the transfer of IANA stewardship. India has dual interests in the ICANN IANA Transition negotiations: safeguarding independence, security and stability of the DNS for development, and promoting an effective transition agreement that internationalizes the IANA Functions Operator (IFO). Last month the IANA Stewardship Transition Coordination Group (ICG) set in motion a public review of its combined assessment of the proposals submitted by the names, numbers and protocols communities. In parallel to the transition of the NTIA oversight, the community has also been developing mechanisms to strengthen the accountability of ICANN and has devised two workstreams that consider both long term and short term issues. This 2 is our response to the consolidated ICG proposal which considers the proposals for the transition of the NTIA oversight over the IFO.

Click to download the submission.

For more details visit https://cis-india.org/internet-governance/blog/response-by-the-centre-for-internet-and-society-to-the-draft-proposal-to-transition-the-stewardship-of-the-internet-assigned-numbers-authority-iana-functions-from-the-u-s-commerce-department2019s-national-telecommunications-and-information-administration

Responding to govt requests is a challenge for online firms: Colin Maclay

praskrishna — 2013-03-15T05:07:10Z

Colin M. Maclay, MD of Berkman Center for Internet and Society at Harvard, on challenges in cyberspace.

Colin M. Maclay, MD of Berkman Center for Internet and Society at Harvard mentions about the Centre for Internet and Society, Bangalore in his interview done by LiveMint. The article was published in LiveMint on March 13, 2013.

Mumbai: Colin M. Maclay, managing director of the Berkman Center for Internet and Society at Harvard University, says that companies such as Google Inc. and Facebook Inc. are facing their greatest challenge in responding appropriately to governments that demand user information from them as part of regular practice or to abuse power. In an email interview to Mint on Wednesday, Maclay underscored the policy gaps on the Internet, differences in cyber laws across nations and the forces transforming education, media and technology companies online. He hopes to elaborate on some of these views in Mumbai on Thursday, the concluding day of Ficci Frames,a conclave on the media and entertainment industry that began on Tuesday. Edited excerpts:

How vulnerable are we because of the information shared on email platforms such as Gmail or Yahoomail or on social networks like Facebook?

We are vulnerable in many ways as we share information about ourselves and our friends, sometimes wisely and other times indiscriminately. But this information is later shared with many third-party tracking networks so that the highest bidder can advertise to us the product they think we want. That information is also sold to other interested parties, from businesses to governments. Other business offerings like facial recognition software only make the proposition spookier. Many of them want to responsibly monetize our data typically for advertising or improving their service offerings although we may not all agree on what that means in practice.

Are any laws being considered in the US to protect people’s privacy online?

Privacy around telephony, wiretaps for instance, is much better than Internet-related government requests. There are a host of laws and regulations around privacy in the US, but many of my colleagues would likely say that they are inadequate—not keeping up with the technology, actual use or business practice. They are also in conflict with European laws, which suggests the need to resolve these differences. In this gap, practices like the Google and Twitter Transparency Reports are significant steps forward in telling what governments are actually doing around the world with respect to online privacy and expression. India’s government has a noteworthy presence in these reports, as does the US.

Is it easier for the government to get personal information of suspects’ activity online from Google or Facebook than it would be through an offline search warrant?

There are questionable requests made to companies to provide user information, censor content or other such action by law enforcement agencies in various jurisdictions. Often it is legitimate, and companies should respond accordingly, while at other times, companies may overreach unintentionally, requesting much more information than they need or broader censorship due to their own lack of understanding. In other cases, as part of regular practice or in an informal abuse of power, governments will make requests that do not hold up scrutiny to the rule of law and due process. They may have political or economic motivations, for instance. It’s in discerning between these cases, and figuring out how to respond appropriately, that the companies face their greatest challenge.

Has the freedom of expression been limited by the governments?

The OpenNet initiative, a research collaboration between the Citizen Lab at the University of Toronto and the Berkman Center at Harvard, has documented the rise of state-sponsored Internet censorship from a handful of countries a decade ago to over 40 countries today. Beyond technical control, there is a massive increase in copyright-related takedowns that include legitimate takedowns, plus many attempts at economic and political control. There are informal legal and process controls on content. There is also a wide range of self-censorship that’s difficult to document.

How are these companies addressing the issue?

In recognition of the difficult situation, companies such as Google, Microsoft Corp., Yahoo Inc. (Facebook is an observer at present), non-government organizations like Human Rights Watch, Center for Democracy and Technology (CDSA) and the Centre for Internet and Society in Bangalore and investors like Calvert Investments Inc. and F&C Asset Management Plc, founded the Global Network Initiative (GNI) in October 2008 to protect and advance privacy and freedom of expression online.

Cybercrimes like credit card frauds surface time and again...why is the Internet still not secure enough?

It goes back to beginnings of the Internet, it was built to be open rather than secure. That said, there are a variety of different concerns, including organizations doing an inadequate job of securing the credit card data they hold. That’s their fault and it seems there should be policy solutions that require better security and exact penalties for lapses and bad practice to encourage better behaviour. Credit card fraud online and offline is a problem, and unfortunately it sometimes effectively punishes countries with risk by automatically denying cards—effectively leaving users in those countries without access to e-commerce.

On the good side, top universities around the world now offer online education, How is it transforming the education system?

Like many analog institutions that are adopting digital resources, it’s unclear what will happen. Hopefully it will lower prices, increase learning opportunities, and improve learning all in a sustainable way. We can’t deny, however, the role of in-person interaction whether it’s while seeing friends, dating or doing business and learning is no different.

Looking at trends, laptops began replacing desktops and now tablets are becoming a preferred personal computing device. What’s next?

A decade ago it was laptops or mobiles, and the price of laptops came down, but the mobile network proliferated even faster. Smartphones continued to drop in price and increase in potential, laptops are lighter than ever, tablets have come up, even operating systems are beginning to converge. Now, immersive experiences like Google Glass are coming. It’s hard to know what’s next, but I hope that device convergence will serve as an enabler rather than a limiter.

For more details visit https://cis-india.org/news/livemint-ruchita-saxena-march-13-2013-responding-to-govt-requests-is-a-challenge-for-online-firms

Respite from Internet Censorship?

praskrishna — 2012-08-10T15:51:30Z

Of late, a lot of the blocked websites have started reappearing. So should we sit back and relax? We take a look at how it's not really the start of something beautiful...writes Nimish Sawant. Sunil Abraham is quoted.

Published in thinkdigit on June 2, 2012

In April, Chennai based Copyrights Labs got a John Doe order (An order against no one in particular) from Madras High Court which ordered ISPs to block several video hosting websites such as Vimeo and Dailymotion along with a string of torrent sites such as Isohunt and Pirate Bay. The motive was to prevent illegal sharing of the movies 3 and Dhammu. The ISPs went on this whole website blocking spree welcoming users with messages such as, “This website has been blocked as per instructions from the Department of Telecom (DoT)”.

In June, the Madras High Court issued an order which made it mandatory for complainants to provide exact URLs where they find illegal content, such that ISPs could block only that content and not the entire site.

This order is definitely a relief for Indian internet users, who were facing a variety of blocked websites for a couple of months. In the May-June period there was a lot of media coverage around Internet censorship and then there was the much-hyped Anonymous protest (http://goo.gl/YCQod) that saw a not-so-great participation. Just like most media stories, it is slowly departing from the public conciousness. So does this mean our censorship woes are behind us?

Far from it.

The dark cloud of Intermediaries Guidelines
The Information Technology (Intermediaries Guidelines) Rules 2011 were added to the IT Act 2000. According to it, the intermediaries (website, domain registrar, blog owner and so on) guidelines allows the government to pull up any website that hosts “objectionable” content. It gives anyone the right to send “content removal notice” to an intermediary, asking it to be removed within 36 hours. Terms describing such content - grossly harmful, harassing, blasphemous, defamatory, obscene - are those that are open to interpretation. So, Facebook can be hauled up for derogatory content or pages on its site. Hell, even if you own a blog and someone else posts a derogatory comment, you can be pulled up.

This is a rather smart move by the government to force self-censorship down our throats. Just try imagining - Every 60 seconds: on YouTube there are 48 hours worth of videos uploaded; Wordpress users publish 347 blogs; Twitter users send over 100,000 tweets among others. (Source: http://goo.gl/U7qT8) How on earth is monitoring such a vast amount of data even possible?

Karnika Seth, Cyberlaw Expert	"Any content which is illegal can be blocked by ISP or on directions of a court.A person who uploads illegal content does not have a right to claim that it should not be blocked. But if harmless content is blocked arbitrarily by government or by an ISP, a person can approach the court for a direction that content should not be blocked from public access. No specific section in IT Act entitles a person to sue in such cases . However freedom of speech and expression is our fundamental right guaranteed under Art.19 of the Constitution of India and it is our constitutional right to seek legal redress for its protection by approaching the court."

Karnika Seth, Cyberlaw Expert

"Any content which is illegal can be blocked by ISP or on directions of a court.A person who uploads illegal content does not have a right to claim that it should not be blocked. But if harmless content is blocked arbitrarily by government or by an ISP, a person can approach the court for a direction that content should not be blocked from public access. No specific section in IT Act entitles a person to sue in such cases . However freedom of speech and expression is our fundamental right guaranteed under Art.19 of the Constitution of India and it is our constitutional right to seek legal redress for its protection by approaching the court."

Every site has internal checks and balances in the form of a 'Report Abuse' option, where users raise flags against content which they may find objectionable and the site takes a call. But with the intermediary rules, the content has to be removed within 36 hours. And here's the kicker – the content can be removed without informing the owner or giving him or her a chance to defend. A political cartoon website cartoonsagainstcorruption.com was a victim of such rules. In March this year, Rajya Sabha MP, P. Rajeeve, had moved a motion calling for the annulment of the intermediaries rules sometime in April. This motion, as would be expected, was defeated by a voice vote.

“Any content which is illegal can be blocked by the ISP or on directions of a court. A person who uploads illegal content does not have a right to claim that it should not be blocked. But if harmless content is blocked arbitrarily by government or by an ISP, a person can approach the court for a direction that content should not be blocked from public access,” said cyberlaw expert Karnika Seth. When asked if there is a clause in the IT Act which enables a person to drag the government or the ISP for blocking access to their harmless content on the web, Seth said, “No specific section in the IT Act entitles a person to sue in such cases . However, freedom of speech and expression is our fundamental right guaranteed under Art.19 of the Constitution of India and it is our constitutional right to seek legal redress for its protection by approaching the court.”

So what should one do if his or her content is blocked due to the blanket ban on websites? “If I am blocked access to my content on the web (say by blocking sites such as Vimeo or Blogspot for instance) I should file an appeal against the John Doe order in the higher court or to the division bench of High court if earlier order has been passed by single bench of the same High court. These provisions are there for any citizen in Procedural Law of India. The IT Act, 2000 need not be invoked,” says Advocate Prashant Mali, President, Cyber Law Consulting.

Google Transparency report clearly established a link between internet censorship and the government. According to the report, between January and June 2011 Google received 1739 requests for disclosure of user data from the Indian government whereas from July to December 2011, the number of requests by the government went up to 2207. Thankfully Google's compliance rate has come down, but the requests will keep increasing. And this is just Google products we are talking about. Is it then right for just the government to go ahead and draft the rules regarding internet usage? Are there provisions for you, the user to play a part in drafting of these rules. According to Advocate Mali, laws are generally put up for debate on various Government websites. But in the case of the Intermediaries Guidelines, the government used the two-thirds majority to pass the rules.

According to Sunil Abraham, Director, Centre for Internet and Society – a Bangalore-based internet advocacy group, we are very far in terms of Internet policies. “Dr. Gulshan Rai of CERT-IN has not taken even the public feedback process seriously and does not hold public consultations. This is very unlike TRAI, the telecoms regulator that has a very sophisticated approach towards transparent and participatory policy formulation.” He says that in India there is little transparency in some areas of policy articulation and our representatives do not seem sufficiently interested in protecting the public interest.

Also according to Adv. Mali, the recent Madras High Court directive asking the ISPs to block only the ‘pirated content’ and not the entire website, is just half the battle won for the ISPs. “If ISP's feel they have won, then that's just half the victory, because if they don't implement the order with full might and even if one copyright gets infringed because of there weak enforcement, then it would amount to Contempt of Court which will land ISP's into soup,” he says.

“The Madras High Court judgement which essentially directs ISPs to block “pirated content”, and not the website as a whole, is a good judgment with respect to Internet users, but implementing it selectively would be a mammoth task for ISP's. If ISP's feel they have won, then it's just half the battle won, because if they don't implement the order with full might and even if one copyright gets infringed because of weak enforcement, then it would amount to Contempt of Court which will land ISP's into soup."

Advocate Prashant Mali, President, Cyber Law Consulting

Is the Anonymous way, the right way?
In June, we saw the global hactivist organisation - Anonymous attacking a string of Government websites and that of ISPs such as Reliance communications, which had blocked access to websites. On June 9, there was a street protest across various metros in India. While the participation was not very encouraging, the sympathy for what Anonymous hackers were doing to those opposing Internet censorship was immense.

According to Advocate Mali, though the agenda of Anonymous was good, their means of achieving that end were wrong. “One cannot put a gun on the Government’s head in a democracy. If they keep doing this, they will be outlawed. If Anonymous really wants to work for the netizens, they should find better ways to protest instead of those which are cognizable cyber crimes in India.” said Mali.

According to Abraham, Anonymous are embracing the civil disobedience movement to protest against unjust laws. He feels that it is pertinent for Anonymous to retain the moral high ground. “Breaking into servers, leaks of personal information and defacement of websites is both illegal and also unlikely to win them more supporters from within the policy formulation space,” concurs Abraham.

Sunil Abraham, Executive Director, Centre for Internet & Society

“The government ie. the government in power, does only frame subsidiary rules. For example – the draconian rules related to reasonable security measures, cyber cafes and intermediaries were drafted in April last year. The main Act in this case the Information Technology Act is framed in the Lok Sabha and Rajya Sabha. Even though the elected government may dominate the proceedings, if they have a clear majority, the opposition parties must debate every detail especially in laws that affect our civil liberties. Unfortunately, since the Internet is not used by the majority of the population it is politically still an insignificant issue. The private sector cannot frame laws that regulate itself – that would be a contradiction in terms. Citizens cannot be asked to vote in referendums each time laws have to be passed, that would just be too slow. Transparency representative democracy is the online option – unfortunately in India there is little transparency in some areas of policy articulation and our representatives don't seem to be sufficiently interested in protecting the public interest.”

Where do we go from here?
So it is safe to say that even though the issue of censorship is not making headlines everyday, it will never will be behind us. “This is just a temporary lull in the storm. Governments are always keen to crack down on free speech and privacy online,” feels Abraham. According to him, projects such as Unique Identification (UID) and National Intelligence Grid (NATGRID) means the death of anonymity and pseudonymity for Internet and mobile users in the country.

On the other hand, Adv. Mali says that so long as the Intermediaries guidelines are part of the IT Act, it will only mean bad news for regular netizens. “Till the rules are effective, censorship and blocking would be a weapon in the hands of the Government, even though it may violate certain Fundamental Rights enshrined by Indian Constitution to Indian Citizens,” he said.

“Indian Internet users have to be very vigilant – if not, we will loose all our rights and freedoms one by one,” warns Abraham.

We can just hope that the issue does not get completely out of hand.

For more details visit https://cis-india.org/news/www-thinkdigit-com-nimish-sawant-02-06-2012-respite-from-internet-censorship

Research Initiative: Women in India's IT Industry

jdine — 2013-03-06T10:31:48Z

CIS has begun a brief research project which will examine indicators of female economic empowerment in the IT industry in India. Though the gathering of quantitative and qualitative data from the six largest publicly-traded Indian software companies, we hope to provide insight into state of female employment in one of the most important and rapidly growing economic sectors in the country.

The recent events and subsequent discussions surrounding the brutal gang rape and murder of a young Delhi woman on a bus last December in Munirka, New Delhi, have prompted dialogue in mainstream discourses about the position of women in India, and have lead many to scrutinize the treatment of women within various spheres of Indian society. What has become increasingly apparent following the events of December 16^th is that effective longterm change for Indian women cannot be achieved by harsher consequences or more rigorous transport regulations, but instead through widespread recognition of the routine discrimination faced by Indian women in their public, private and professional lives. The latter sphere is of particular interest to the Indian context, as although the last two decades have seen an unprecedented number of Indian women enter the formal workforce, issues of female economic empowerment tend to get downplayed when juxtaposed against the entirety of the system of discrimination and violence faced by women in India.

As a brief foray into the reality of female economic empowerment in India, CIS has decided to carry out a small though hopefully telling research project on some of the largest corporate players in the Indian IT industry. The aim of this research is to gain a better understanding of the state of female employment, gender equality and the qualitative experience of being a working woman in one of the most important and rapidly growing economic sectors in the country.

Using NASSCOM's annual industry ratings from 2007-2012,[1] we put together a list of the six software companies headquartered in India that appeared in the top five spots at least twice between the years 2007-2012. These companies are Tata Consultancy Services Ltd., Infosys Ltd., Wipro Ltd., HCL Tech Ltd., Tech Mahindra and Mahindra Satyam. Through formal requests for data and a handful of qualitative interviews, we will be gathering information from these companies and their employees that will eventually by compiled into a short report that will be publicly available on our website.

(A brief explanation of why we chose to use NASSCOM's industry list can be found at the end of this article,[2] along with some notes on the change of ownership of Mahindra Satyam and its merger with Tech Mahindra).[3]

Why the IT Industry?

In 2012, an international consulting and management firm called Booz & Company released “The Third Billion”, a global ranking of the level of economic empowerment attained by woman on 128 countries. The indicators used included equal pay for equal work, non-discrimination policies, the male-to-female-male employee ratio, and equality in terms of female managers and senior business leaders.[4] India rated quite poorly at spot 115.[5] Further, the International Labour Force recently reported that the rate of female participation in the total labour force[6] in India has fallen from 37% in 2004-05 to 29% in 2009-10, leaving India at the 11th lowest spot out of 131 countries.[7] Despite these declining rates, it was estimated in 2010 that approximately 5.5 million Indian women were entering the formal workforce each year at that period in time,[8] and though the aforementioned statistics likely indicate that a larger proportion of men are entering the formal workforce each year than women, this is a significant amount of employees, many of whom will be facing a unique set of challenges in the workplace simply because of their gender. In fact, research done by the Centre for Talent Innovation has found that 55% of female Indian employees routinely encounter such severe bias in the workplace that they disengage from their work or consider dropping out altogether.[9]

This is where the IT industry comes in. From an aggregate revenue of USD 3.9 billion in Fiscal Year (FY) 1998[10] to more than USD 100 billion in FY2012,[11] the Indian IT-BPO industry has been growing exponentially over the last 15 years, and it continues to be one of the fastest growing sectors in the Indian economy. Further, it has rapidly become one of the most economically significant industries in India in terms of share of total exports (approximately 25% for FY2012)[12] export revenue (USD 69.1 billion and growing by more than 16%)[13] and proportion of national GDP (from 1.2% in FY1998 to 7.5% in FY2012).[14] IT services alone account for more than half of the software and services exports in the industry, and is the fastest growing segment of the sector at 18%.[15] Further, NASSCOM estimates that the sector will create 230,000 jobs in FY2012,[16] increasing the number of individuals employed directly in India's IT-BPO industry to about 2.8 million individuals.[17] The industry is estimated to indirectly employ another 8.9 million people.[18]

Because the IT industry in India is such an important source of employment for young Indian professionals (the median age of IT-BPO employees in India was about 24[19] in 2011), and because an unprecedented amount of those young professionals are women (women made up 42% of India's college graduates in 2010, and that figure was expected to continue to rise),[20] IT companies have the potential to become leading examples of women-friendly employers. However, according to DataQuest's Best Employer Survey 2012, the percentage of women employed in the IT industry in India has actually decreased from 26% in 2010 to 22% in 2012[21] even though the number of jobs created in this sector continues to increase annually. Again, these statistics most likely point to a larger number of males available for employment than females (and therefore a larger proportion of men being employed), but they also show that the number of women employed in the IT sector is not significantly increasing (or even increasing at all).

Considering, then, how important the IT industry may be for the employment of young female professionals (and if it is not now, it will be soon), the responsibility to create nondiscriminatory and comfortable workplace environments should fall heavily on the largest and most economically significant companies in the software sector, as they have the opportunity to set precedents not only for the rest of the industry but for Indian employers as a whole.

How are these industry giants faring in terms of the treatment of their female employees?

To commence this research, I have collected some basic facts about the Board of Directors and executive management teams of the six Indian IT companies off of their websites and annual reports. This brief preliminary foray into the industry has revealed that although many of these companies promote gender equality in the workplace and women in senior positions of authority, the Indian software sphere continues to be almost entirely male-dominated.

The collected statistics on Board members and executive management teams are listed below. It bears keeping in mind that while the information on the Board of Directors may be quite reliable (depending on how recently each company has updated their website) and therefore appropriate to use as a tool of comparative analysis, the information on the executive management teams can be misleading, as each company appears to have a different criteria of what constitutes a senior management team (for example, Tata Consultancy Services lists two individuals, their CEO and CFO, as their executive management team, but Wipro Ltd. lists 24 individuals from a variety of different departments).

Because we were not certain of how recently each company had updated its website, we have prioritized the data on the Boards from their annual Investor's Reports over the information available on their websites.

Tata Consultancy Services Limited
TCS' annual report for the 2011-2012 fiscal year reports a 14 member Board of Directors with one female non-executive director. This woman is not Indian. The report also lists a 28-member strong management team with two female members, and their website lists

Number of women on the Board: 1/14

Number of women holding executive management positions: 2/30

Infosys Limited
Infosys Ltd. has 15 Board members: six executive members, none of which are women; one male chairperson; and eight non-executive independent members, one of whom is a woman, but not an Indian woman.

Further, Infosys lists 14 individuals in their executive management team,[22] one of whom is a woman. It is interesting to note that this female member is the group head of Human Resources as well as being one of five senior Vice Presidents.[23] Infosys also has an Executive Council made up of 13 members, including one Indian woman.

Number of women on the Board: 1/15
Number of women holding executive management positions: 1/14

Wipro Limited
Wipro's Board of Directors is made up of 12 men: one executive chairman, two executive directors, and nine independent directors.

As for their executive management team, the website lists 24 executive leaders, two of whom are women.[24] Wipro also has a Corporate Executive Council of six men.

Number of women on Board: 0/12

Number of women in executive management team: 2/23

HCL Tech Limited
HCL's Board has nine members, two of whom are executive members. The other seven members are listed as being independent, non-executive members. One of these non-executive members is a woman; she is not Indian.

On their website[25] they list 18 members of their leadership team, none of whom are female.

Number of women on Board: 1/9

Number of women holding executive management positions: 0/18

Tech Mahindra
On Tech Mahindra's Board of Directors sits a non-executive chairman, one executive member, six non-executive independent members, and three non-executive directors. None of these individuals are female. On their website, seven employees appear to make up the leadership team of this company, one of whom is a woman. Interestingly, this individual is also the head of HR.[26]

Number of women on Board: 0/11

Number of women holding executive management positions: 1/7

Mahindra Satyam
According to their 2011-2012 annual report, Mahindra Satyam's Board of Directors boosts 6 members: a male chairman, one male CEO, and four non-executive board members, one of whom is an Indian woman.

Further, there appears to be six members of the leadership team[27] including the CEO, none of whom are female.

Number of women on Board: 1/6

Number of women holding executive management positions: 0/6

Summary of Board of Director Data

Number of female chairpersons in the 6 largest IT companies in India: 0/6

Number of women seated on the Board of Directors of the top 6 IT companies in India: 4/67

Executive (excluding chairmen/vice-chairmen): 0/14

Non-Executive (excluding chairmen/vice-chairmen): 4/47

Female Indian members: 1/4

Number of female employees in senior management positions: 6/98

While these numbers may be sobering, they are not exceptionally low, or even below average. According to The Globe and Mail's 11^th annual Board Games report on corporate governance, the percentage of Board seats held by women on Boards of Directors in the Indian corporate sector in 2012 was 5.3%, meaning that, at an approximately 6% of seats held by female members, our very small sample size is actually sitting just above the Indian average. However, when compared to the other BRIC countries at 5.1%, 5.9% and 8.5% respectively,[28] India is still lagging behind when it comes to having women in positions of senior authority in the corporate world.

Further, considering that these are the largest corporate IT companies in the industry, and the majority carry out activities across the globe, they probably have, on average, larger and more diverse Boards of Directors than our average mid- to large-sized Indian software company. Further, two out of six companies do not even have one female member on their Board. As for those remaining four, it is likely that these companies may be the exception and not the rule when it comes to the number of women on the Boards in the Indian IT.

As for executive management, the world average for the percentage of women in senior management roles was 21% in 2012, a meagre increase from the global average of 19% in 2004.[29] The same study that produced these figures also found that the proportion of women holding senior management positions in India was 14%, placing the data from our sample size way below the curve at approximately 6%. However, due to issues discussed earlier in this post, this figure is not an accurate representation of the executive management teams of all six companies; future research will hopefully provide us with more factual statistics.

This is not to say that the IT sector in India is the only industry that should be concerned with its low rates of female employment and attainment of seniority, nor should its industry giants be the only corporate entities publicly scrutinized in this manner. The economic empowerment of women in India is an on-going struggle that is played out in many spheres in the Indian society, including the non-profit sector. In fact, if we perform a similar breakdown of CIS' Board of Directors and staff, the results are comparable to those of the IT companies:

According to our 2011-2012 annual report, our Board of Directors boosts 8 members, two of whom are executive members of CIS' management team. One of these individuals is an Indian woman.

Further, of our 14 staff members, four are women.

[1]. NASSCOM. 2012. Industry Rankings: Top 20 Players in IT Services. [online] Retrieved from http://www.nasscom.org/industry-ranking on January 21st, 2013.

[2]. The NASSCOM industry ranking is a well-regarded annual ranking of the IT sector in India that is often used as a resource in various research initiatives and similar publications, and it appears to be widely accepted as a legitimate ranking by both those within the industry and by entities from other sectors. The ranking is determined using revenue information provided by each company for their activities in India, which we thought was a strong indicator of their significance to the industry and the Indian economic engine as a whole. Finally, NASSCOM carries out this ranking each year, which will allow us to use a similar methodology in choosing our research subjects should we choose to reproduce this research annually.

[3]. If you look at the NASSCOM list of top 20 for 2007-2008, you will see that a company called Satyam Computer Services. This company was taken over by the Mahindra Group in 2009, and was rebranded as Mahindra Satyam to reflect its new parent company. This is why Mahindra Satyam is included in our list, though it first appeared on the NASSCOM Industry Rankings for the 2011-2012 fiscal year; we counted the appearance of Satyam Computer Services in the fourth spot in the rankings for 2007-2008 as a point towards Mahindra Satyam.

Further, it was announced in March of 2012 that Mahindra Satyam and Tech Mahindra would be merging; however, this had not yet happened by the end of the 2012 fiscal year and therefore we will treat Mahindra Satyam and Tech Mahindra as separate and independent entities in this research project.

[4]. Aquirre, D., Hoteit, L., Rupp, C., & Sabbaugh, K. 2012. Empowering the Third Billion: Women and the World of Work in 2012. [pdf] Booz & Company. Accessible at: http://bit.ly/SXdZ6P

[5]. ibid.

[6]. The rate of female labour participation indicates the proportion of the female population above the age of 15 that supplies labour for the production of goods and services on the formal market in a given time period.

[7]. International Labour Organization. February 13, 2013. India: Why is Women's Labour Force Participation Dropping? [online] Retrieved from http://bit.ly/11EGYCM on February 22^nd, 2013.

[8]. Hewlett, S. A., Fredman, C., Leader-Chivee, L., & Rashid, R. 2010. The Battle for Female Talent in India. New York: Center for Work-Life Policy.

[9]. Hewlett, S. A. November 1, 2012. “More Women in the Workforce Could Raise GDP by 5%.” Harvard Business Review. [online] Retrieved from http://bit.ly/YrxyFA February 23^rd, 2013.

[10]. Embassy of India. 2007. India's Information Technology Industry. [online] Retrieved from http://www.indianembassy.org/indiainfo/india_it.htm on February 23^rd, 2013.

[11]. NASSCOM. 2012. Indian IT-BPO Industry. [online] Retrieved from http://www.nasscom.in/indian-itbpo-industry on February 24^th, 2013.

[12]. ibid.

[13]. ibid.

[14]. ibid.

[15]. NASSCOM. 2012. IT Services. [online] Retrieved from http://www.nasscom.in/it-services on February 25^th, 2013.

[16]. NASSCOM. 2012. Indian IT-BPO Industry. [online] Retrieved from http://www.nasscom.in/indian-itbpo-industry on February 24^th, 2013.

[17]. ibid.

[18]. ibid.

[19]. Business Standard. January 31, 2011. Employee Retention Key Challenge for IT, BPO Cos. [online] Retrieved from http://bit.ly/13sCizA on February 24^th, 2013.

[20]. Hewlett, Sylvia A. & Rashid, Ripa. December 3, 2010. “India's Crown Jewels: Female Talent.” Harvard Business Review. [online] Retrieved from http://bit.ly/gpv7CQ on February 23^rd, 2013.

[21]. Sharma, P. October 29, 2012. “Gender Inclusivity, Still a Key Challenge.” DataQuest. [online] Retrieved from http://bit.ly/TPkz1F on February 19^th, 2013.

[22]. Information retrieved from: http://infy.com/cVfEwp

[23]. According to the Grant Thornton International Business Report for 2012, the majority of women employed in senior management positions are heads/directors of Human Resources (21%). It has been argued that women tend to get employed in Human Resources due to a perceived “natural transfer of skills”--meaning that women are believed to be pre-disposed to excel at Human Resources-related tasks and responsibilities simply because of the experiences and norms of their gender. For a more profound discussion of this phenomenon, please visit: http://www.hreonline.com/HRE/view/story.jhtml?id=533345673

[24]. Information retrieved from: http://bit.ly/13sBtXJ

[25]. Information retrieved from: http://bit.ly/Kdm0vP

[26]. Please see footnote 23

[27]. Information retrieved from: http://bit.ly/148kLsv

[28]. Information retrieved from: http://bit.ly/XVvpp3

[29]. Grant Thornton. 2012. “Women in Senior Management: Still Not Enough.” in Grant Thornton International Business Report 2012. Grant Thornton. [pdf] Accessible at: http://bit.ly/HCjKTG

For more details visit https://cis-india.org/internet-governance/blog/women-in-indias-it-industry

Research Advisory Network Meeting

praskrishna — 2014-07-03T06:39:38Z

All sessions will take place at the OECD Headquarters, located at 2 Rue André Pascal, 75016, Paris, France. Sunil Abraham is participating in the event.

For agenda and other details, click here.

Hosting of the Event

The Organisation for Economic Co-operation and Development (OECD) has agreed to host this meeting of the Global Commission on Internet Governance’s Research Advisory Network (RAN). The OECD will provide meeting space and logistical support, and is committed to engaging the project in the development of evidence-based policy recommendations for the future of Internet governance.

Meeting Participant List

Special Guests

James Kaplan
Bill Woodcock

OECD Staff

Aaron Martin
Anne Carblanc
Sam Paltridge
Alexia Gonzalez Fanfalone
Lorrayne Porciuncula

Commission Secretariat

Caroline Baylon
Eric Jardine
Mark Raymond
Aaron Shull
Brenda Woods

Research Advisory Network Biographies

Sunil Abraham / @sunil_abraham

Sunil Abraham is the executive director of the Centre for Internet and Society (CIS). CIS is a five year old policy and academic research organization focusing on accessibility, access to knowledge, Internet governance, telecom, digital natives and digital humanities. He founded Mahiti in 1998, a social enterprise that provides technology to civil society for which he was elected an Ashoka fellow in 1999. Between June 2004 and June 2007, Sunil also managed the International Open Source Network, a project of UNDP serving 42 countries in the Asia-Pacific region.

Subimal Bhattacharjee / @subimal

Subimal Bhattacharjee is an independent consultant on defence and cyber issues, working primarily with government and private sector advisory panels in India. He is the former India country director for General Dynamics International Corporation. Subimal is a columnist and internationally respected speaker on issues of Internet governance and cyber security.

Bertrand de La Chapelle / @bdelachapelle

Bertrand de La Chapelle is the Director of the Internet & Jurisdiction Project, a global multistakeholder dialogue process developing a due process framework to handle the diversity of national laws in cross-border online spaces. He served as a Director on the ICANN Board from 2010 to 2013. From 2006 to 2010, he was France’s Thematic Ambassador and Special Envoy for the Information Society, participating in all WSIS follow-up activities and Internet governance processes, including in particular the Internet Governance Forum (IGF), and was a Vice-Chair of ICANN’s Governmental Advisory Committee (GAC). Bertrand is a graduate of Ecole Polytechnique, Sciences Po Paris and Ecole Nationale d’Administration.

Laura DeNardis / @LauraDeNardis

A scholar of Internet architecture and governance, Dr. Laura DeNardis is a CIGI senior fellow and professor at American University. She is an affiliated fellow at Yale Law School’s Information Society Project and previously served as its Executive Director. She is the Director of Research for the Global Commission on Internet Governance and is the author of The Global War for Internet Governance (Yale University Press 2014).

Patrik Fältström / @patrikhson

Patrik Fältström is head of research and development at Netnod. Previously, he was a distinguished engineer at Cisco, technical specialist at Tele2, systems manager at the Royal Institute of Technology, researcher at Bunyip Information Systems and a programmer in the Royal Swedish Navy. He has been a member of numerous advisory groups and investigations related to the Internet, both public and private sector. Patrik holds an M.Sc. in mathematics from the University of Stockholm.

Paul Fehlinger / @PaulFehlinger

Paul Fehlinger is the co-founder and manager of the Internet & Jurisdiction Project, a global multi-stakeholder dialogue process developing a due process framework to enable the coexistence of diverse national laws in cross-border online spaces. He started working on Internet governance at Sciences Po Paris and the Max Planck Institute for the Study of Societies. He is since actively engaged in the UN Internet Governance Forum, EuroDIG and other global Internet fora.

Fen Hampson

Fen Osler Hampson is a distinguished fellow and director of the Global Security & Politics Program at the Centre for International Governance Innovation (CIGI). He has served as director of the Norman Paterson School of International Affairs and is concurrently chancellor’s professor at Carleton University. He is the recipient of various awards and honours and is a frequent commentator and contributor to international media.

Clem Herman / @clemherman

Clem Herman is a senior lecturer in the Department of Computing and Communications at the UK Open University, and was previously director of the Manchester Women’s Electronic Village Hall (WEVH) pioneering the use of ICTs to empower women. She has published widely on gender issues in technology and is the founder and editor-in-chief of the International Journal of Gender Science and Technology.

Konstantinos Komaitis / @kkomaitis

Konstantinos Komaitis is a policy advisor at the Internet Society, focusing primarily on the field of digital content and intellectual property. Before joining the Internet Society in July 2012, he was a senior lecturer at the University of Strathclyde in Glasgow. Konstantinos holds a Ph.D. in law and his thesis focused on issues of intellectual property and the Internet, with particular focus on the intersection of trademarks and domain names. He is the author of The Current State of Domain Name Regulation.

Young-eum Lee

Young-eum Lee is a professor in the Department of Media Arts and Sciences at Korea National Open University. She has been involved in various Internet governance policy making processes of the Korean domain name .kr at KISA (KRNIC), and has also been involved in global Internet governance activities at ICANN. Since 2003, she has been a council member of the ccNSO representing .kr in the Asia-Pacific region. Young-eum received her M.A. in Communication Science at Northwestern University and her doctorate in Communication from the University of Michigan.

Tim Maurer

Tim Maurer is a research fellow at the New America Foundation’s Open Technology Institute. He focuses on cyberspace and international affairs, namely Internet governance, cyber-security, and human rights online. In October 2013 and February 2014, he spoke about cyber-warfare at the United Nations. Tim’s research has been published and featured by national and international print, radio and television media, including Harvard University, Foreign Policy, CNN and Slate among others. He conducts academic research as a non-resident research fellow at the University of Toronto’s Citizen Lab.

Emily Taylor / @etaylaw

Emily Taylor is a renowned expert in the field of Internet law and governance, and provides research services in areas including security, IPv6 deployment, internationalised domain names, the domain name industry, and global policy development. Her roles in the Internet sphere include chair of the WhoIs Review Committee for ICANN 2012, member of the Multistakeholder Advisory Group to the IGF (2006-2012), director of Synetergy (providing Sunrise Dispute resolution services to the largest gTLD applicant, Donuts), and several ongoing non-executive directorships.

Rolf H. Weber

Rolf H. Weber is professor for civil, commercial and European law at the University of Zurich Law School. Since 2008, he is the director of the Information and Communication Law Center at the University of Zurich, a member (now Vice-Chairman) of the Steering Committee of the Global Internet Governance Academic Network (GigaNet) as well as a member of the European Dialogue on Internet Governance (EuroDIG). Since 2009, he has been a member of the High-level Panel of Advisers of the Global Alliance for Information and Communication Technologies and Development (GAID) and author of frequent publications on Internet Governance.

Andrew Wyckoff

Andrew W. Wyckoff is the director of the OECD’s Directorate for Science, Technology and Industry. Prior to the OECD, he was a program manager of the Information, Telecommunications and Commerce program of the US Congressional Office of Technology Assessment, an economist at the US National Science Foundation and a programmer at the Brookings Institution. Andrew holds a Master of Public Policy from the JFK School of Government, Harvard University.

Special Guest Biographies

James M. Kaplan

James M. Kaplan is a partner at McKinsey & Company in New York. He convenes McKinsey's global practices in IT infrastructure and cyber-security. He has assisted leading institutions in implementing cyber-security strategies, conducting cyber-war games, optimizing enterprise infrastructure environments and exploiting cloud technologies. James led McKinsey's collaboration with the World Economic Forum on "Risk & Responsibility in a Hyper-Connected World," which was presented at the Forum's recent Annual Meeting in Davos. He published on a variety of technology topics in the McKinsey Quarterly, the Financial Times, the Wall Street Journal and the Harvard Business Review Blog Network.

Bill Woodcock

Bill Woodcock is the executive director of Packet Clearing House, the international non-governmental organization that builds and supports critical Internet infrastructure, including Internet exchange points and the core of the domain name system. Since entering the Internet industry in 1985, Bill has helped establish more than one hundred and fifty Internet exchange points. In the early 1990s, Bill developed the anycast routing technique that now protects the domain name system. In 2002 he co-founded INOC-DBA, the security-coordination hotline system that interconnects the network operations centers of more than three thousand ISPs around the world. And in 2007, Bill was one of the two international liaisons deployed by NSP-Sec to the Estonian CERT during the Russian cyber-attack.

For more details visit https://cis-india.org/news/research-advisory-network-meeting

Request for Specifics: Rebuttal to UIDAI

hans — 2016-10-30T15:06:31Z

Responding to the Unique Identification Authority of India’s article that found “serious mathematical errors” in “Flaws in the UIDAI Process” (EPW 12 March 2016), the main mathematical argument used to arrive at the number of duplicates in the biometric database is explained.

The article was published in the Economic & Political Weekly on September 3, 2016, Vol.51, Issue No.36.

The author of a technical paper will be alarmed when he is convicted of “serious mathematical errors” by someone who has not bothered himself with “going too deep into the mathematics” used. The man must possess miraculous powers of divination one feels: fears rather. The UIDAI seems to have even such formidable diviners in their employ: who have dismissed just so peremptorily, in their rebuttal, the calculations made in my paper titled Flaws in the UIDAI process. The paper appeared in the issue of this journal dated to February 27 of this year. The rebuttal was published in the issue dated to the 12th of March. The interested reader can confirm that I have only repeated what was said there. The rebuttal does not specify, in any way, the mathematical mistakes I am supposed to have made. So I shall rehearse the relevant calculations very broadly: and the experts of the UIDAI will then exhibit, I trust, the specific mistakes they impute to me.[*]

[*]My reply to the UIDAIs attempted rebuttal was sent in to the EPW a few days after that appeared in print: and published as a “web exclusive” article in Volume 51, Issue Number 36 of the EPW, on 03/09/2016.

Read the Full Article

For more details visit https://cis-india.org/internet-governance/blog/economic-and-political-weekly-journal-vol-51-issue-36-september-3-2016-hans-varghese-mathews-request-for-specifics

Report: From Oppression to Liberation: Reclaiming the Right to Privacy

Admin — 2018-12-05T02:48:31Z

Eva Blum-Dumontet, Research Officer at Privacy International, published her report on gender and privacy on November 28, 2018. The report, titled 'From Oppression to Liberation: Reclaiming the Right to Privacy', traces the history of privacy as a tool of oppressing women across different spheres, eventually calling for a feminist reclamation of privacy. Ambika Tandon was quoted.

Whose privacy are we fighting for when we say we defend the right to privacy? In this report we take a hard look at the right to privacy and its reality for women, trans and gender diverse people. We highlight how historically privacy has been appropriated by patriarchal rule and systems of oppression to keep women, trans and gender diverse people in the private sphere.

For us, this report is also an opportunity to show how surveillance and data exploitation are also uniquely affecting women, trans and gender diverse people. We demonstrate how patriarchy and systems of oppression rely on surveillance to perpetuate themselves and how surveillance and data exploitation need the rigid and gender-normative categories of patriarchy to function. We conclude by presenting how protecting the right to privacy can address some of these challenges.

We hope this report will be read as a call for action: privacy needs to be reclaimed by women, trans and gender diverse people.

Download the report

For more details visit https://cis-india.org/internet-governance/news/report-from-oppression-to-liberation-reclaiming-the-right-to-privacy

Report on Understanding Aadhaar and its New Challenges

Japreet Grewal, Vanya Rakesh, Sumandro Chattapadhyay, and Elonnai Hickock — 2019-03-16T04:42:52Z

The Trans-disciplinary Research Cluster on Sustainability Studies at Jawaharlal Nehru University collaborated with the Centre for Internet and Society, and other individuals and organisations to organise a two day workshop on “Understanding Aadhaar and its New Challenges” at the Centre for Studies in Science Policy, JNU on May 26 and 27, 2016. The objective of the workshop was to bring together experts from various fields, who have been rigorously following the developments in the Unique Identification (UID) Project and align their perspectives and develop a shared understanding of the status of the UID Project and its impact. Through this exercise, it was also sought to develop a plan of action to address the welfare exclusion issues that have arisen due to implementation of the UID Project.

Report: Download (PDF)

This Report is a compilation of the observations made by participants at the workshop relating to myriad issues under the UID Project and various strategies that could be pursued to address these issues. In this Report we have classified the observations and discussions into following themes:

1. Brief Background of the UID Project

2. Legal Status of the UIDAI Project

Procedural issues with passage of the Act
Status of related litigation

3. National Identity Projects in Other Jurisdictions

Pakistan
United Kingdom
Estonia
France
Argentina

4. Technologies of Identification and Authentication

Use of Biometric Information for Identification and Authentication
Architectures of Identification
Security Infrastructure of CIDR

5. Aadhaar for Welfare?

Social Welfare: Modes of Access and Exclusion
Financial Inclusion and Direct Benefits Transfer

6. Surveillance and UIDAI

7. Strategies for Future Action

Annexure A Workshop Agenda

Annexure B Workshop Participants

1. Brief Background of the UID Project

In the year 2009, the UIDAI was established and the UID project was conceived by the Planning Commission under the UPA government to provide unique identification for each resident in India and to be used for delivery of welfare government services in an efficient and transparent manner, along with using it as a tool to monitor government schemes. The objective of the scheme has been to issue a unique identification number by the Unique Identification Authority of India, which can be authenticated and verified online. It was conceptualized and implemented as a platform to facilitate identification and avoid fake identity issues and delivery of government benefits based on the demographic and biometric data available with the Authority.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Act”) was passed as a money bill on March 16, 2016 and was notified in the gazette March 25, 2016 upon receiving the assent of the President. However, the enforceability date has not been mentioned due to which the bill has not come into force.

The Act provides that the Aadhaar number can be used to validate a person’s identity, but it cannot be used as a proof of citizenship. Also, the government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service. At the time of enrolment, the enrolling agency is required to provide notice to the individual regarding how the information will be used, the type of entities the information will be shared with and their right to access their information. Consent of an individual would be obtained for using his/her identity information during enrolment as well as authentication, and would be informed of the nature of information that may be shared. The Act clearly lays that the identity information of a resident shall not be sued for any purpose other than specified at the time of authentication and disclosure of information can be made only pursuant to an order of a court not inferior to that of a District Judge and/or disclosure made in the interest of national security.

2. Legal Status of the UIDAI Project

In this section, we have summarised the discussions on the procedural issues with the passage of the Act. The participants had criticised the passage of the Act as a money bill in the Parliament. The participants also assessed the litigation pending in the Supreme Court of India that would be affected by this law. These discussions took place in the session titled, ‘Current Status of Aadhaar’ and have been summarised below.

Procedural Issues with Passage of the Act

The participants contested the introduction of the Act in the form of a money bill. The rationale behind this was explained at the session and is briefly explained here. Article 110 (1) of the Constitution of India defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to the following: a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. The Act makes references to benefits, subsidies and services which are funded by the Consolidated Fund of India (CFI), however the main objectives of the Act is to create a right to obtain a unique identification number and provide for a statutory mechanism to regulate this process. The Act only establishes an identification mechanism which facilitates distribution of benefits and subsidies funded by the CFI and this identification mechanism (Aadhaar number) does not give it the character of a money bill. Further, money bills can be introduced only in the Lok Sabha, and the Rajya Sabha cannot make amendments to such bills passed by the Lok Sabha. The Rajya Sabha can suggest amendments, but it is the Lok Sabha’s choice to accept or reject them. This leaves the Rajya Sabha with no effective role to play in the passage of the bill.

The participants also briefly examined the writ petition that has been filed by former Union minister Jairam Ramesh challenging the constitutionality and legality of the treatment of this Act as a money bill which has raised the question of judiciary’s power to review the decisions of the speaker. Article 122 of the Constitution of India provides that this power of judicial review can be exercised to look into procedural irregularities. The question remains whether the Supreme Court will rule that it can determine the constitutionality of the decision made by the speaker relating to the manner in which the Act was introduced in the Lok Sabha. A few participants mentioned that similar circumstances had arisen in the case of Mohd. Saeed Siddiqui v. State of U.P. [1].

where the Supreme Court refused to interfere with the decision of the Uttar Pradesh legislative assembly speaker certifying an amendment bill to increase the tenure of the Lokayukta as a money bill, despite the fact that the bill amended the Uttar Pradesh Lokayukta and Up-Lokayuktas Act, 1975, which was passed as an ordinary bill by both houses. The Court in this case held that the decision of the speaker was final and that the proceedings of the legislature being important legislative privilege could not be inquired into by courts. The Court added, “the question whether a bill is a money bill or not can be raised only in the state legislative assembly by a member thereof when the bill is pending in the state legislature and before it becomes an Act.”

However, it is necessary to carve a distinction between Rajya Sabha and State Legislature. Unlike the State Legislature, constitution of Rajya Sabha is not optional therefore significance of the two bodies in the parliamentary process cannot be considered the same. Participants also made another significant observation about a similar bill on the UID project (National Identification Authority of India (NIDAI) Bill) that was introduced before by the UPA government in 2010 and was deemed unacceptable by the standing committee on finance, headed by Yashwant Sinha. This bill was subsequently withdrawn.

Status of Related Litigation

A panellist in this session briefly summarised all the litigation that was related to or would be affected by the Act. The panellist also highlighted several Supreme Court orders in the case of KS Puttuswamy v. Union of India [2] which limited the use of Aadhaar. We have reproduced the presentation below.

KS Puttuswamy v. Union of India - This petition was filed in 2012 with primary concern about providing Aadhaar numbers to illegal immigrants in India. It was contended that this could not be done without a law establishing the UIDAI and amendment to the Citizenship laws. The petitioner raised concerns about privacy and fallibility of biometrics.
Sudhir Vombatkere & Bezwada Wilson [3] - This petition was filed in 2013 on grounds of infringement of right to privacy guaranteed under Article 21 of the Constitution of India and the security threat on account of data convergence.
Aruna Roy & Nikhil Dey [4] - This petition was filed in 2013 on the grounds of large scale exclusion of people from access to basic welfare services caused by UID. After their petition, no. of intervention applications were filed. These were the following:
Col. Mathew Thomas [5] - This petition was filed on the grounds of threat to national security posed by the UID project particularly in relation to arrangements for data sharing with foreign companies (with links to foreign intelligence agencies).
Nagrik Chetna Manch [6] - This petition was filed in 2013 and led by Dr. Anupam Saraph on the grounds that the UID project was detrimental to financial service regulation and financial inclusion.
S. Raju [7] - This petition was filed on the grounds that the UID project had implications on the federal structure of the State and was detrimental to financial inclusion.
Beghar Foundation - This petition was filed in 2013 in the Delhi High Court on the grounds invasion of privacy and exclusion specifically in relation to the homeless. It subsequently joined the petition filed by Aruna Roy and Nikhil Dey as an intervener.
Vickram Crishna – This petition was originally filed in the Bombay High Court in 2013 on the grounds of surveillance and invasion of privacy. It was later transferred to the Supreme Court.
Somasekhar – This petition was filed on the grounds of procedural unreasonableness of the UID project and also exclusion & privacy. The petitioner later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013.
Rajeev Chandrashekhar– This petition was filed on the ground of lack of legal sanction for the UID project. He later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013. His position has changed now.
Further, a petition was filed by Mr. Jairam Ramesh initially challenging the passage of the Act as a money bill but subsequently, it has been amended to include issues of violation of right to privacy and exclusion of the poor and has advocated for five amendments that were suggested to the Aadhaar Bill by the Rajya Sabha.

Relevant Orders of the Supreme Court

There are six orders of the Supreme Court which are noteworthy.

Order of Sept. 23, 2013 - The Supreme court directed that: 1) no person shall suffer for not having an aadhaar number despite the fact that a circular by an authority makes it mandatory; 2) it should be checked if a person applying for aadhaar number voluntarily is entitled to it under the law; and 3) precaution should be taken that it is not be issued to illegal immigrants.
Order of 26th November, 2013 – Applications were filed by UIDAI, Ministry of Petroleum & Natural Gas, Govt of India, Indian Oil Corporation, BPCL and HPCL for modifying the September 23rd order and sought permission from the Supreme Court to make aadhaar number mandatory. The Supreme Court held that the order of September 23rd would continue to be effective.
Order of 24th March, 2014 – This order was passed by the Supreme Court in a special leave petition filed in the case of UIDAI v CBI [8] wherein UIDAI was asked to UIDAI to share biometric information of all residents of a particular place in Goa to facilitate a criminal investigation involving charges of rape and sexual assault. The Supreme Court restrained UIDAI from transferring any biometric information of an individual without to any other agency without his consent in writing. The Supreme Court also directed all the authorities to modify their forms/circulars/likes so as to not make aadhaar number mandatory.
Order of 16th March, 2015 - The SC took notice of widespread violations of the order passed on September 23rd, 2013 and directed the Centre and the states to adhere to these orders to not make aadhaar compulsory.
Orders of August 11, 2015 – In the first order, the Central Government was directed to publicise the fact that aadhaar was voluntary. The Supreme Court further held that provision of benefits due to a citizen of India would not be made conditional upon obtaining an aadhaar number and restricted the use of aadhaar to the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene and the LPG Distribution Scheme. The Supreme Court also held that information of an individual that was collected in order to issue an aadhaar number would not be used for any purpose except when directed by the Court for criminal investigations. Separately, the status of fundamental right to privacy was contested and accordingly the Supreme Court directed that the issue be taken up before the Chief Justice of India.
Orders of October 16, 2015 – The Union of India, the states of Gujarat, Maharashtra, Himachal Pradesh and Rajasthan, and authorities including SEBI, TRAI, CBDT, IRDA , RBI applied for a hearing before the Constitution Bench for modification of the order passed by the Supreme Court on August 11 and allow use of aadhaar number schemes like The Mahatma Gandhi National Rural Employment Guarantee Scheme MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions) Prime Minister's Jan Dhan Yojana (PMJDY) and Employees' Providend Fund Organisation (EPFO). The Bench allowed the use of aadhaar number for these schemes but stressed upon the need to keep aadhaar scheme voluntary until the matter was finally decided.

Status of these orders
The participants discussed the possible impact of the law on the operation of these orders. A participant pointed out that matters in the Supreme Court had not become infructuous because fundamental issues that were being heard in the Supreme Court had not been resolved by the passage of the Act. Several participants believed that the aforementioned orders were effective because the law had not come into force. Therefore, aadhaar number could only be used for purposes specified by the Supreme Court and it could not be made mandatory. Participants also highlighted that when the Act was implemented, it would not nullify the orders of the Supreme Court unless Union of India asked the Supreme Court for it specifically and the Supreme Court sanctioned that.

3. National Identity Projects in Other Jurisdictions

A panellist had provided a brief overview of similar programs on identification that have been launched in other jurisdictions including Pakistan, United Kingdom, France, Estonia and Argentina in the recent past in the session titled ‘Aadhaar - International Dimensions’. This presentation mainly sought to assess the incentives that drove the governments in these jurisdictions to formulate these projects, mandatory nature of their adoption and their popularity. The Report has reproduced the presentation here.

Pakistan

The Second Amendment to the Constitution of Pakistan in 2000 established the National Database and Regulation Authority in the country, which regulates government databases and statistically manages the sensitive registration database of the citizens of Pakistan. It is also responsible for issuing national identity cards to the citizens of Pakistan. Although the card is not legally compulsory for a Pakistani citizen, it is mandatory for:

Voting
Obtaining a passport
Purchasing vehicles and land
Obtaining a driver licence
Purchasing a plane or train ticket
Obtaining a mobile phone SIM card
Obtaining electricity, gas, and water
Securing admission to college and other post-graduate institutes
Conducting major financial transactions

Therefore, it is pretty much necessary for basic civic life in the country. In 2012, NADRA introduced the Smart National Identity Card, an electronic identity card, which implements 36 security features. The following information can be found on the card and subsequently the central database: Legal Name, Gender (male, female, or transgender), Father's name (Husband's name for married females), Identification Mark, Date of Birth, National Identity Card Number, Family Tree ID Number, Current Address, Permanent Address, Date of Issue, Date of Expiry, Signature, Photo, and Fingerprint (Thumbprint). NADRA also records the applicant's religion, but this is not noted on the card itself. (This system has not been removed yet and is still operational in Pakistan.)

United Kingdom

The Identity Cards Act was introduced in the wake of the terrorist attacks on 11th September, 2001, amidst rising concerns about identity theft and the misuse of public services. The card was to be used to obtain social security services, but the ability to properly identify a person to their true identity was central to the proposal, with wider implications for prevention of crime and terrorism. The cards were linked to a central database (the National Identity Register), which would store information about all of the holders of the cards. The concerns raised by human rights lawyers, activists, security professionals and IT experts, as well as politicians were not to do with the cards as much as with the NIR. The Act specified 50 categories of information that the NIR could hold, including up to 10 fingerprints, digitised facial scan and iris scan, current and past UK and overseas places of residence of all residents of the UK throughout their lives. The central database was purported to be a prime target for cyber attacks, and was also said to be a violation of the right to privacy of UK citizens. The Act was passed by the Labour Government in 2006, and repealed by the Conservative-Liberal Democrat Coalition Government as part of their measures to “reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.”

Estonia

The Estonian i-card is a smart card issued to Estonian citizens by the Police and Border Guard Board. All Estonian citizens and permanent residents are legally obliged to possess this card from the age of 15. The card stores data such as the user's full name, gender, national identification number, and cryptographic keys and public key certificates. The cryptographic signature in the card is legally equivalent to a manual signature, since 15 December 2000. The following are a few examples of what the card is used for:

As a national ID card for legal travel within the EU for Estonian citizens
As the national health insurance card
As proof of identification when logging into bank accounts from a home computer
For digital signatures
For i-voting
For accessing government databases to check one’s medical records, file taxes, etc.
For picking up e-Prescriptions
(This system is also operational in the country and has not been removed)

France

The biometric ID card was to include a compulsory chip containing personal information, such as fingerprints, a photograph, home address, height, and eye colour. A second, optional chip was to be implemented for online authentication and electronic signatures, to be used for e-government services and e-commerce. The law was passed with the purpose of combating “identity fraud”. It was referred to the Constitutional Council by more than 200 members of the French Parliament, who challenged the compatibility of the bill with the citizens’ fundamental rights, including the right to privacy and the presumption of innocence. The Council struck down the law, citing the issue of proportionality. “Regarding the nature of the recorded data, the range of the treatment, the technical characteristics and conditions of the consultation, the provisions of article 5 touch the right to privacy in a way that cannot be considered as proportional to the meant purpose”.

Argentina

Documento Nacional de Identidad or DNI (which means National Identity Document) is the main identity document for Argentine citizens, as well as temporary or permanent resident aliens. It is issued at a person's birth, and updated at 8 and 14 years of age simultaneously in one format: a card (DNI tarjeta); it's valid if identification is required, and is required for voting. The front side of the card states the name, sex, nationality, specimen issue, date of birth, date of issue, date of expiry, and transaction number along with the DNI number and portrait and signature of the card's bearer. The back side of the card shows the address of the card's bearer along with their right thumb fingerprint. The front side of the DNI also shows a barcode while the back shows machine-readable information. The DNI is a valid travel document for entering Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela. (System still operational in the country)

4. Technologies of Identification and Authentication

The panel in the session titled ‘Aadhaar: Science, Technology, and Security’ explained the technical aspects of use of biometrics and privacy concerns, technology architecture for identification and inadequacy of infrastructure for information security. In this section, we have summarised the presentation and the ensuing discussions on these issues.

Use of Biometric Information for Identification and Authentication

The panelists explained with examples that identification and authentication were different things. Identity provides an answer to the question “who are you?” while authentication is a challenge-response process that provides a proof of the claim of identity. Common examples of identity are User ID (Login ID), cryptographic public keys and ATM or Smart cards while common authenticators are passwords (including OTPs), PINs and cryptographic private keys. Identity is public information but an authenticator must be private and known only to the user. Authentication must necessarily be a conscious process and active participation by the user is a must. It should also always be possible to revoke an authenticator. After providing this understanding of the two processes the panellist then explained if biometric information could be used for identification or authentication under the UID Project. Biometric information is clearly public information and it is questionable if it can be revoked. Therefore it should never be used for authentication, but only for identity verification. There is a possibility of authentication by fingerprints under the UID Project, without conscious participation of the user. One could trace the fingerprints of an individual from any place the individual has been in contact with. Therefore, authentication must certainly be done by other means. The panellist pointed out that there were five kinds of authentication under the UID Project, out of which two-factor authentication and one time password were considered suitable but use of biometric information and demographic information was extremely threatening and must be withdrawn.

Architectures of Identification

The panelists explained the architecture of the UID Project that has been designed for identification purposes, highlighted its limitations and suggested alternatives. His explanations are reproduced below.

Under the UID Project, there is a centralised means of identification i.e. the aadhaar number and biometric information stored in one place, Central Identification Data Repository (CIDR). It is better to have multiple means of identification than one (as contemplated under the UID Project) for preservation of our civil liberties. The question is what the available alternatives are. Web of trust is a way for operationalizing distributed identification but the challenge is how one brings people from all social levels to participate in it. There is a need for registrars who will sign keys and public databases for this purpose.

The aadhaar number functions as a common index and facilitates correlation of data across Government databases. While this is tremendously attractive it raises several privacy concerns as more and more information relating to an individual is available to others and is likely to be abused.

The aadhaar number is available in human readable form. This raises the risk of identification without consent and unauthorised profiling. It cannot be revoked. Potential for damage in case of identity theft increases manifold.

Under the UID Project, for the purpose of information security, Authentication User Agencies (“AUA”) are required to use local identifiers instead of aadhaar numbers but they are also required to map these local identifiers to the aadhaar numbers. Aadhaar numbers are not cryptographically secured; in fact they are publicly available. Hence this exercise for securing information is useless. An alternative would be to issue different identifiers for different domains and cryptographically embed a “master identifier” (in this case, equivalent of aadhaar number) into each local identifier.

All field devices (for example POS machines) should be registered and must communicate directly with UIDAI. In fact, UIDAI must verify the authenticity (tamper proof) of the field device during run time and a UIDAI approved authenticity certificate must be issued for field devices. This certificate must be made available to users on demand. Further, the security and privacy frameworks within which AUAs work must be appropriately defined by legal and technical means.

Security Infrastructure of CIDR

The panelists also enumerated the security features of the UID Project and highlighted the flaws in these features. These have been summarised below.

The security and privacy infrastructure of UIDAI has the following main features:

2048 bit PKI encryption of biometric data in transit
End-to-end encryption from enrolment/POS to CIDR
HMAC based tamper detection of PID blocks
Registration and authentication of AUAs
Within CIDR only a SHA 1 Hash of Aadhaar number is stored
Audit trails are stored SHA 1 encrypted. Tamper detection?
Only hashes of passwords and PINs are stored. (biometric data stored in original form though!)
Authentication requests have unique session keys and HMAC
Resident data stored using 100 way sharding (vertical partitioning). First two digits of Aadhaar number as shard keys
All enrolment and update requests link to partitioned databases using Ref IDs (coded indices)
All accesses through a hardware security module
All analytics carried out on anonymised data

The panellists pointed out the concerns about information security on account of design flaws, lack of procedural safeguards, openness of the system and too much trust imposed on multiple players. All symmetric and private keys and hashes are stored somewhere within UIDAI. This indicates that trust is implicitly assumed which is a glaring design flaw. There is no well-defined approval procedure for data inspection, whether it is for the purpose of investigation or for data analytics. There is a likelihood of system hacks, insider leaks, and tampering of authentication records and audit trails. The ensuing discussions highlighted that the UIDAI had admitted to these security risks. The enrolment agencies and the enrolment devices cannot be trusted. AUAs cannot be trusted with biometric and demographic data; neither can they be trusted with sensitive user data of private nature. There is a need for an independent third party auditor for distributed key management, auditing and approving UIDAI programs, including those for data inspection and analytics, whitebox cryptographic compilation of critical parts of the UIDAI programs, issue of cryptographic keys to UIDAI programs for functional encryption, challenge-response for run-time authentication and certification of UIDAI programs. The panellist recommended that there was a need to to put a suitable legal framework to execute this.

The participants also discussed that information infrastructure must not be made of proprietary software (possibility for backdoors for US) and there must be a third party audit with a non-negotiable clause for public audit.

5. Aadhaar for Welfare?

The Report has summarised the discussions that took place in the sessions on ‘Direct Benefits Transfers’ and ‘Aadhaar: Broad Issues - II’ where the panellists critically analysed the claims of benefits and inclusion of Aadhaar made by the government in light of the ground realities in states where Aadhaar has been adopted for social welfare schemes.

Social Welfare: Modes of Access and Exclusion

Under the Act, a person may be required to authenticate or give proof of the aadhaar number in order to receive subsidy from the government (Section 7). A person is required to punch their fingerprints on POS machines in order to receive their entitlement under the social welfare schemes such as LPG and PDS. It was pointed out in the discussions that various states including Rajasthan and Delhi had witnessed fingerprint errors while doling out benefits at ration shops under the PDS scheme. People have failed to receive their entitled benefits because of these fingerprint errors thus resulting in exclusion of beneficiaries [9]. A panellist pointed out that in Rajasthan, dysfunctional biometrics had led to further corruption in ration shops. Ration shop owners often lied to the beneficiaries about functioning of the biometric machines (POS Machines) and kept the ration for sale in the market therefore making a lot of money at the expense of uninformed beneficiaries and depriving them of their entitlements.

Another participant organisation also pointed out similar circumstances in the ration shops in Patparganj and New Delhi constituencies. Here, the dealers had maintained the records of beneficiaries who had been categorized as follows: beneficiaries whose biometrics did not match, beneficiaries whose biometrics matched and entitlements were provided, beneficiaries who never visited the ration shop. It had been observed that there were no entries in the category of beneficiaries whose biometrics did not match however, the beneficiaries had a different story to tell. They complained that their biometrics did not match despite trying several times and there was no mechanism for a manual override. Consequently, they had not been able to receive any entitlements for months. The discussions also pointed out that the food authorities had placed complete reliance on authenticity of the POS machines and claim that this system would weed out families who were not entitled to the benefits. The MIS was also running technical glitches as a result there was a problem with registering information about these transactions hence, no records had been created with the State authority about these problems. A participant also discussed the plight of 30,000 widows in Delhi, who were entitled to pension and used to collect their entitlement from post offices, faced exclusion due to transition problems under the Jan Dhan Yojana (after the Jandhan was launched the money was transferred to their bank accounts in order to resolve the problem of misappropriation of money at the hands of post office officials). These widows were asked to open bank accounts to receive their entitlements and those who did not open these accounts and did not inform the post office were considered bogus.

In the discussions, the participants also noted that this unreliability of fingerprints as a means of authentication of an individual’s identity was highlighted at the meeting of Empowered Group of Ministers in 2011 by J Dsouza, a biometrics scientist. He used his wife’s fingerprints to demonstrate that fingerprints may change overtime and in such an event, one would not be able to use the POS machine anymore as the machine would continue to identify the impressions collected initially.

The participants who had been working in the field had contributed to the discussions by busting the myth that the UID Project helped to identify who was poor and resolve the problem of exclusion due to leakages in the social welfare programs. These discussions have been summarised below.

It is important to understand that the UID Project is merely an identification and authentication system. It only helps in verifying if an individual is entitled to benefits under a social security scheme. It does not ensure plugging of leakages and reducing corruption in social security schemes as has been claimed by the Government. The reduction in leakage of PDS, for instance, should be attributed to digitization and not UID. The Government claims, that it has saved INR 15000 crore in provision of LPG on identification of 3.34 crore inactive accounts on account of the UID Project. This is untrue because the accounts were weeded by using mechanisms completely unrelated to the UID Project. Consequently, the savings on account of UID are only of INR 120 crore and not 15000 crore.
The UID Project has resulted in exclusion of people either because they do not have an aadhaar number, or they have a wrong identification, or there are errors of classification or wilful misclassification. About 99.7% people who were given aadhaar numbers already had an identification document. In fact, during enrolment a person is required to produce one of 14 identification documents listed under the law in order to get an aadhaar number which makes it very difficult for a person with no identity to become entitled to a social welfare scheme.

A participant condemned the Government’s claim that the UID Project had helped in removing fake, bogus and duplicate cards and said that these terms could not be used synonymously and the authorities had no clarity about the difference between the meanings of these terms. The UID Project had only helped in removal of duplicate cards but had not helped in combating the use of fake and bogus cards.

Financial Inclusion and Direct Benefits Transfer

The participants also engaged in the discussions about the impact of the UID project on financial inclusion in India in the sessions titled ‘Aadhaar: Broad Issues - I & II’. We have summarised these discussions below.

The UID Project seeks to directly transfer money to a bank account in order to combat corruption. The discussions highlighted that this was nothing but introducing a neo liberal thrust in social policy and that it was not feasible for various reasons. First, 95% of rural India did not have functioning banks and banks are quite far away. Second, in order to combat this dearth of banks the idea of business correspondents, who handled banking transactions and helped in opening of bank accounts, had been introduced which had created various problems. The Reserve Bank of India reported that there was dearth of business correspondents as there was very little incentive to become one; their salary is merely INR 4000. Third, there were concerns about how an aadhaar number was considered a valid document for Know Your Customer (KYC) checks. There was a requirement for scrutiny and auditing of documents submitted during the time of enrolment which, in the present scheme of things, could not be verified. Fourth, there were no restrictions on number of bank accounts that could be opened with a single aadhaar number which gave rise to a possibility of opening multiple and shell accounts on a single aadhaar number. Therefore, records only showed transactions when money was transferred from an aadhaar number to another aadhaar number as opposed to an account-to-account transfer. The discussion relied on NPCI data which shows which bank an aadhaar number is associated with but does not show if a transaction by an aadhaar number is overwritten by another bank account belonging to the same aadhaar number.

6. Surveillance and UIDAI

The participants had discussed the possibility of an alternative purpose for enrolling Aadhaar in the session titled ‘Privacy, Surveillance, and Ethical Dimensions of Aadhaar’. The discussion traced the history of this project to gain insight on this issue. We have summarised below the key take aways from this discussion.

There are claims that the main objective of launching the UID Project is not to facilitate implementation of social security schemes but to collect personal (financial and non-financial) information of the citizens and residents of the country to build a data monopoly. For this purpose, PDS was chosen as a suitable social security scheme as it has the largest coverage. Several participants suggested that numerous reports authored by FICCI, KPMG and ASSOCHAM contained proposals for establishing a national identity authority which threw some light on the commercial intentions behind information collection under the UID Project.

It was also pointed out that there was documented proof that information collected under the UID Project might have been shared with foreign companies. There are suggestions about links established between proponents of the UID Project and companies backed by CIA or the French Government which run security projects and deal in data sharing in several jurisdictions.

7. Strategies for Future Action

The participants laid down a list of measures that must be taken to take the discussions forward. We have enumerated these recommendations below.

Prepare and compile an anthology of articles as an output of this workshop.
Prepare position papers on specific issues related to the UID Project
Prepare pamphlets/brochures on issues with the UID Project for public consumption
Prepare counter-advertisements for Aadhaar
Publish existing empirical evidence on the flaws in Aadhaar.
Set up an online portal dedicated to providing updates on the UID Project and allows discussions on specific issues related to Aadhaar.
Use Social Media to reach out to the public. Regularly track and comment on social media pages of relevant departments of the government.
Create groups dedicated to research and advocacy of specific aspects of the UID Project.
Create a Coordination Committee preferably based in Delhi which would be responsible for regularly holding meetings and for preparing a coordinated plan of action. Employ permanent to staff to run the Committee.
Organise an advocacy campaign against use of Aadhaar in collaboration with other organisations and build public domain acceptance.
The campaign must specifically focus on the unfettered scope of UID and expanse, misrepresentation of the success of Aadhaar by highlighting real savings, technological flaws, status of pilot programs and increasing corruption on account of the UID Project
Prepare a statement of public concern regarding the UID Project and collect signatures from eminent persons including academics, technical experts, civil society groups and members of parliament.
Organise events and discussions on issues relating to Aadhaar and invite members og government departments to speak and discuss the issues.
Write to Members of Parliament and Members of Legislative Assemblies raising questions on their or their parties’ support for Aadhaar and silence on the problems created by the UID Project.
Organise public hearings in states like Rajasthan to observe and document ground realities of the UID Project and share these outcomes with the state government and media.
Plan a national social audit and public hearing on the working of UID Project in the country.
File Contempt Petitions in the Supreme Court and High Courts against mandatory use of Aadhaar number for services not allowed by the Supreme Court.
Reach out to and engage with various foreign citizens and organisations that have been fighting on similar issues. The organisations and individuals who could be approached would include EPIC, Electronic Frontier foundation, David Moss, UK, Roger Clarke, Australia, Prof. Ian Angel, Snowden, Assange and Chomsky.
Work towards increasing awareness about the UID Project and gaining support from the student and research community, student organisations, trade unions, and other associations and networks in the unorganised sector.

Annexure A – Workshop Agenda

May 26, 2016

9:00-9:30	Registration
9:30-10:00	Prof. Dinesh Abrol - Welcome Self-introduction and expectations of participants Dr. Usha Ramanathan - Overview of the Workshop
10:00-11:00	Session 1: Current Status of Aadhaar Dr. Usha Ramanathan, Legal Researcher, New Delhi - What the 2016 Law Says, and How it Came into Being S. Prasanna, Advocate, New Delhi - Status and Force of Supreme Court Orders on Aadhaar Discussion
11:00-11:30	Tea Break
11:30-13:30	Session 2: Direct Benefits Transfers Prof. Reetika Khera, Indian Institute of Technology, Delhi - Welfare Needs Aadhaar like a Fish Needs a Bicycle Prof. R. Ramakumar, Tata Institute of Social Sciences, Mumbai - Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion Ashok Rao, Delhi Science Forum - Cash Transfers Study Discussion
13:30-14:30	Lunch
14:30-16:00	Session 3: Aadhaar: Science, Technology, and Security Prof. Subashis Banerjee, Dept of Computer Science & Engineering, IIT, Delhi - Privacy and Security Issues Related to the Aadhaar Act Pukhraj Singh, Former National Cyber Security Manager, Aadhaar, New Delhi - Aadhaar: Security and Surveillance Dimensions Discussion
16:00-16:30	Tea Break
16:30-17:30	Session 4: Aadhaar - International Dimensions Joshita Pai, Center for Communication Governance, National Law University, Delhi - Biometrics and Mandatory IDs in Other Parts of the World Dr. Gopal Krishna, Citizens Forum for Civil Liberties - International Dimensions of Aadhaar Discussion
17:30-18:00	High Tea

May 27, 2016

9:30-11:00	Session 5: Privacy, Surveillance and Ethical Dimensions of Aadhaar Prabir Purkayastha, Free Software Movement of India, New Delhi - Surveillance Capitalism and the Commodification of Personal Data Arjun Jayakumar, SFLC - Surveillance Projects Amalgamated Col Mathew Thomas, Bengaluru - The Deceit of Aadhaar Discussion
11:00-11:30	Tea Break
11:30-13:00	Session 6: Aadhaar - Broad Issues I Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - How to prevent linked data in the context of Aadhaar Dr. Anupam Saraph, Pune - Aadhaar and Moneylaundering Discussion
13:00-14:00	Lunch
14:00-15:30	Session 7: Aadhaar - Broad Issues II Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - Financial lnclusion Nikhil Dey, MKSS, Rajasthan - Field witness: Technology on the Ground Prof. Himanshu, Centre for Economic Studies & Planning, JNU - UID Process and Financial Inclusion Discussion
15:30-16:00	Session 8: Conclusion
16:00-18:00	Informal Meetings

Annexure B – Workshop Participants

Anjali Bhardwaj, Satark Nagrik Sangathan

Dr. Anupam Saraph

Arjun Jayakumar, Software Freedom Law Centre

Ashok Rao, Delhi Science Forum

Prof. Chinmayi Arun, National Law University, Delhi

Prof. Dinesh Abrol, Jawaharlal Nehru University

Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai

Dr. Gopal Krishna, Citizens Forum for Civil Liberties

Prof. Himanshu, Jawaharlal Nehru University

Japreet Grewal, the Centre for Internet and Society

Joshita Pai, National Law University, Delhi

Malini Chakravarty, Centre for Budget and Governance Accountability

Col. Mathew Thomas

Prof. MS Sriram, Indian Institute of Management, Bangalore

Nikhil Dey, Mazdoor Kisan Shakti Sangathan

Prabir Purkayastha, Knowledge Commons and Free Software Movement of India

Pukhraj Singh, Bhujang

Rajiv Mishra, Jawaharlal Nehru University

Prof. R Ramakumar, Tata Institute of Social Sciences, Mumbai

Dr. Reetika Khera, Indian Institute of Technology, Delhi

Dr. Ritajyoti Bandyopadhyay, Indian Institute of Science Education and Research, Mohali

S. Prasanna, Advocate

Sanjay Kumar, Science Journalist

Sharath, Software Freedom Law Centre

Shivangi Narayan, Jawaharlal Nehru University

Prof. Subhashis Banerjee, Indian Institute of Technology, Delhi

Sumandro Chattapadhyay, the Centre for Internet and Society

Dr. Usha Ramanathan, Legal Researcher

Note: This list is only indicative, and not exhaustive.

[1] Civil Appeal No. 4853 of 2014

[2] WP(C) 494/2012

[3] . WP(C) 829/2013

[4] WP(C) 833/2013

[5] WP (C) 37/2015; (Earlier intervened in the Aruna Roy petition in 2013)

[6] WP (C) 932/2015

[7] Transferred from Madras HC 2013.

[8] SLP (Crl) 2524/2014 filed against the order of the Goa Bench of the Bombay HC in CRLWP 10/2014 wherein the High Court had directed UIDAI to share biometric information held by them of all residents of a particular place in Goa to help with a criminal investigation in a case involving charges of rape and sexual assault.

[9] See :http://scroll.in/article/806243/rajasthan-presses-on-with-aadhaar-after-fingerprint-readers-fail-well-buy-iris-scanners

For more details visit https://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges

We are anonymous, we are legion

Responsible Data Forum: Discussion on the Risks and Mitigations of releasing Data

Responsible AI Workshop

Responses to Trai’s consultation paper on free data contain some good suggestions

Response to the Pegasus Questionnaire issued by the SC Technical Committee

Response to the Draft of The Information Technology [Intermediary Guidelines (Amendment) Rules] 2018

Response to RTI on Decisions of the Cyber Regulation Advisory Committee

Response to GCSC on Request for Consultation: Norm Package Singapore

Response by the Centre for Internet and Society to the Draft Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department’s National Telecommunications and Information Administration

Responding to govt requests is a challenge for online firms: Colin Maclay

Respite from Internet Censorship?

Research Initiative: Women in India's IT Industry

Why the IT Industry?

How are these industry giants faring in terms of the treatment of their female employees?

Research Advisory Network Meeting

Hosting of the Event

Meeting Participant List

Research Advisory Network Committees

Special Guests

OECD Staff

Commission Secretariat

Research Advisory Network Biographies

Request for Specifics: Rebuttal to UIDAI

Report: From Oppression to Liberation: Reclaiming the Right to Privacy

Report on Understanding Aadhaar and its New Challenges

Report: Download (PDF)

1. Brief Background of the UID Project

2. Legal Status of the UIDAI Project

Procedural Issues with Passage of the Act

Status of Related Litigation

Relevant Orders of the Supreme Court

3. National Identity Projects in Other Jurisdictions

Pakistan

United Kingdom

Estonia

France

Argentina

4. Technologies of Identification and Authentication

Use of Biometric Information for Identification and Authentication

Architectures of Identification

Security Infrastructure of CIDR

5. Aadhaar for Welfare?

Social Welfare: Modes of Access and Exclusion

Financial Inclusion and Direct Benefits Transfer

6. Surveillance and UIDAI

7. Strategies for Future Action

Annexure A – Workshop Agenda

May 26, 2016

May 27, 2016

Annexure B – Workshop Participants